Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-chxfwshaak
Target d33ee6619b671295dfd9a8599eff6bfba63f4b71811d1c304e0132caa36543bc
SHA256 d33ee6619b671295dfd9a8599eff6bfba63f4b71811d1c304e0132caa36543bc
Tags
masslogger collection persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d33ee6619b671295dfd9a8599eff6bfba63f4b71811d1c304e0132caa36543bc

Threat Level: Known bad

The file d33ee6619b671295dfd9a8599eff6bfba63f4b71811d1c304e0132caa36543bc was found to be: Known bad.

Malicious Activity Summary

masslogger collection persistence ransomware spyware stealer

MassLogger

Masslogger family

MassLogger Main Payload

MassLogger log file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 02:05

Signatures

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Masslogger family

masslogger

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 02:05

Reported

2022-05-21 03:08

Platform

win7-20220414-en

Max time kernel

177s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\img_0933.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\Desktop\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\admin = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\.exe" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 300 set thread context of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 908 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 908 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 908 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 300 wrote to memory of 1428 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\img_0933.exe

"C:\Users\Admin\AppData\Local\Temp\img_0933.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"

C:\Users\Admin\Desktop\.exe

"C:\Users\Admin\Desktop\.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp

Files

memory/908-54-0x0000000000A00000-0x0000000000B60000-memory.dmp

memory/908-55-0x00000000004C0000-0x00000000004DE000-memory.dmp

memory/908-56-0x00000000005B0000-0x00000000005BA000-memory.dmp

memory/1996-57-0x0000000000000000-mapping.dmp

memory/2000-58-0x0000000000000000-mapping.dmp

memory/300-60-0x0000000000000000-mapping.dmp

\Users\Admin\Desktop\.exe

MD5 f8d0bab3e3367fbd94c1f82eb33714e7
SHA1 e457ae2ad469dd932300a02a4e3b9c03010d5e31
SHA256 cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
SHA512 0064460f534399a26e4dd2e29804c3f8b7cd3d8b97808a9ae713c6e7eed0facd621ed3d98f3dad1b655ed051e069fbb9e513b1d51d0ccf61bfde30f668c65784

C:\Users\Admin\Desktop\.exe

MD5 f8d0bab3e3367fbd94c1f82eb33714e7
SHA1 e457ae2ad469dd932300a02a4e3b9c03010d5e31
SHA256 cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
SHA512 0064460f534399a26e4dd2e29804c3f8b7cd3d8b97808a9ae713c6e7eed0facd621ed3d98f3dad1b655ed051e069fbb9e513b1d51d0ccf61bfde30f668c65784

C:\Users\Admin\Desktop\.exe

MD5 f8d0bab3e3367fbd94c1f82eb33714e7
SHA1 e457ae2ad469dd932300a02a4e3b9c03010d5e31
SHA256 cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
SHA512 0064460f534399a26e4dd2e29804c3f8b7cd3d8b97808a9ae713c6e7eed0facd621ed3d98f3dad1b655ed051e069fbb9e513b1d51d0ccf61bfde30f668c65784

memory/300-63-0x0000000001280000-0x00000000013E0000-memory.dmp

memory/300-64-0x0000000000450000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/1428-67-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1428-68-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1428-71-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1428-70-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1428-72-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/1428-73-0x000000000049449E-mapping.dmp

memory/1428-78-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1428-76-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1428-79-0x0000000075581000-0x0000000075583000-memory.dmp

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/1428-81-0x0000000000620000-0x0000000000664000-memory.dmp

memory/1428-82-0x00000000002B5000-0x00000000002C6000-memory.dmp

memory/1428-83-0x00000000007A0000-0x00000000007B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 02:05

Reported

2022-05-21 03:09

Platform

win10v2004-20220414-en

Max time kernel

118s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\img_0933.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\admin = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\.exe" C:\Windows\SysWOW64\reg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3728 set thread context of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
N/A N/A C:\Users\Admin\Desktop\.exe N/A
N/A N/A C:\Users\Admin\Desktop\.exe N/A
N/A N/A C:\Users\Admin\Desktop\.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3144 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3144 wrote to memory of 3456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 1960 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 1960 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\img_0933.exe C:\Users\Admin\Desktop\.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3728 wrote to memory of 4132 N/A C:\Users\Admin\Desktop\.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\img_0933.exe

"C:\Users\Admin\AppData\Local\Temp\img_0933.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v admin /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\.exe"

C:\Users\Admin\Desktop\.exe

"C:\Users\Admin\Desktop\.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

Network

Country Destination Domain Proto
NL 8.238.23.254:80 tcp
US 20.189.173.6:443 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/1960-130-0x0000000000810000-0x0000000000970000-memory.dmp

memory/1960-131-0x0000000007CC0000-0x0000000008264000-memory.dmp

memory/1960-132-0x0000000007810000-0x00000000078A2000-memory.dmp

memory/1960-133-0x00000000078B0000-0x00000000078F4000-memory.dmp

memory/3144-134-0x0000000000000000-mapping.dmp

memory/3456-135-0x0000000000000000-mapping.dmp

memory/3728-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\Desktop\.exe

MD5 f8d0bab3e3367fbd94c1f82eb33714e7
SHA1 e457ae2ad469dd932300a02a4e3b9c03010d5e31
SHA256 cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
SHA512 0064460f534399a26e4dd2e29804c3f8b7cd3d8b97808a9ae713c6e7eed0facd621ed3d98f3dad1b655ed051e069fbb9e513b1d51d0ccf61bfde30f668c65784

C:\Users\Admin\Desktop\.exe

MD5 f8d0bab3e3367fbd94c1f82eb33714e7
SHA1 e457ae2ad469dd932300a02a4e3b9c03010d5e31
SHA256 cc6b0848a3a848c9ee7ce3f63d1e3f95393f6593140e2aab400146c06e593793
SHA512 0064460f534399a26e4dd2e29804c3f8b7cd3d8b97808a9ae713c6e7eed0facd621ed3d98f3dad1b655ed051e069fbb9e513b1d51d0ccf61bfde30f668c65784

memory/4132-139-0x0000000000000000-mapping.dmp

memory/4132-140-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/4132-143-0x00000000052F0000-0x000000000538C000-memory.dmp

memory/4132-144-0x0000000005400000-0x0000000005466000-memory.dmp

memory/4132-145-0x0000000006CF0000-0x0000000006CFA000-memory.dmp

memory/4132-146-0x0000000006D00000-0x0000000006D50000-memory.dmp