Malware Analysis Report

2024-10-18 21:25

Sample ID 231225-wyzezabfeq
Target 340e9a1bcc5ae00b5251f8c5e4bcae10
SHA256 9e8945e1f0569c2fddfad7e0a580508cc85a7ec431b634ea070cdfc8c80cc6cf
Tags
a310logger stormkitty collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e8945e1f0569c2fddfad7e0a580508cc85a7ec431b634ea070cdfc8c80cc6cf

Threat Level: Known bad

The file 340e9a1bcc5ae00b5251f8c5e4bcae10 was found to be: Known bad.

Malicious Activity Summary

a310logger stormkitty collection spyware stealer

A310logger

StormKitty

StormKitty payload

A310logger Executable

Loads dropped DLL

Executes dropped EXE

Reads local data of messenger clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up geolocation information via web service

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 18:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 18:20

Reported

2023-12-26 15:47

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe"

Signatures

A310logger

stealer spyware a310logger

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads local data of messenger clients

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 1396 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 1396 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 1396 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 5036 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe

"C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe"

C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe

"C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3800 -ip 3800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 80

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 104.18.115.97:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

memory/1396-2-0x00000000009F0000-0x00000000009F2000-memory.dmp

memory/1396-1-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/5036-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5036-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4436-8-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4436-9-0x0000000073FF0000-0x00000000745A1000-memory.dmp

memory/4436-11-0x0000000073FF0000-0x00000000745A1000-memory.dmp

memory/4436-10-0x00000000014B0000-0x00000000014C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

MD5 1bad0cbd09b05a21157d8255dc801778
SHA1 ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA512 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

memory/4104-23-0x00007FF8B5F50000-0x00007FF8B68F1000-memory.dmp

memory/4436-31-0x0000000073FF0000-0x00000000745A1000-memory.dmp

memory/4104-29-0x00007FF8B5F50000-0x00007FF8B68F1000-memory.dmp

memory/4104-28-0x00007FF8B5F50000-0x00007FF8B68F1000-memory.dmp

memory/4104-24-0x00000000011F0000-0x0000000001200000-memory.dmp

memory/5036-32-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4104-33-0x00007FF8B5F50000-0x00007FF8B68F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log

MD5 5370d1dff94d27a9a6cfab002a5c444b
SHA1 fecadd9e884c57822ebeae897a3989c0e678fd1a
SHA256 0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946
SHA512 67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb

memory/2200-38-0x0000000001080000-0x0000000001090000-memory.dmp

memory/2200-39-0x0000000073D00000-0x00000000742B1000-memory.dmp

memory/2200-37-0x0000000073D00000-0x00000000742B1000-memory.dmp

memory/4836-53-0x00007FF8B5940000-0x00007FF8B62E1000-memory.dmp

memory/2200-54-0x0000000073D00000-0x00000000742B1000-memory.dmp

memory/4836-52-0x00007FF8B5940000-0x00007FF8B62E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 18:20

Reported

2023-12-26 15:47

Platform

win7-20231215-en

Max time kernel

47s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe"

Signatures

A310logger

stealer spyware a310logger

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 2520 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 2520 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 2520 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 2520 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2996 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2804 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2804 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2804 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2804 wrote to memory of 1444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe

"C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe"

C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe

"C:\Users\Admin\AppData\Local\Temp\340e9a1bcc5ae00b5251f8c5e4bcae10.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp
US 104.18.115.97:80 icanhazip.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp

Files

memory/2996-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-18-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-22-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-20-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2804-23-0x0000000073DE0000-0x000000007438B000-memory.dmp

memory/2804-25-0x0000000001F20000-0x0000000001F60000-memory.dmp

memory/2804-24-0x0000000073DE0000-0x000000007438B000-memory.dmp

memory/2804-14-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-12-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-10-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2804-8-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2996-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2520-2-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2520-1-0x0000000000320000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1D52.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar35E4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c6a5b5d4938b4ec616916214840e503
SHA1 ff30f0ee02bb197b5d7b35c0c8fe203d18abddbd
SHA256 08a18201e57738194f3b800aaaa87a2ae674585d0fc317221371a062cb533e10
SHA512 c31d0f2f5f1d3e9110447dbacd217b459274a66f5b3b3f88d3c957eb7f6dae983b48454852a92adace922bc841eb4b5b4c7410d1208e7101d5829143ee96dd8c

memory/2996-78-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2804-79-0x0000000073DE0000-0x000000007438B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

MD5 1bad0cbd09b05a21157d8255dc801778
SHA1 ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA512 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

memory/2804-117-0x0000000073DE0000-0x000000007438B000-memory.dmp

memory/1444-116-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/1444-115-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/1444-119-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

memory/2072-134-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2072-136-0x0000000073D00000-0x00000000742AB000-memory.dmp

memory/2072-135-0x0000000073D00000-0x00000000742AB000-memory.dmp

memory/2072-132-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2072-128-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2384-160-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

memory/2072-164-0x0000000073D00000-0x00000000742AB000-memory.dmp

memory/2384-163-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

memory/2384-162-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

memory/2384-161-0x0000000002070000-0x00000000020F0000-memory.dmp

memory/2384-165-0x000007FEF47A0000-0x000007FEF513D000-memory.dmp

memory/2504-167-0x000000007EFDE000-0x000000007EFDF000-memory.dmp