fec56ffb...3cb1 | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification:
Keylogger
Backdoor
Spyware
Threat Names:
Vermin
Quasar
xRAT
...

office82.exe

Windows Exe (x86-32)

Created at 2020-05-09T20:51:00

...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "2 minutes, 15 seconds" to "1 minute, 30 seconds" to reveal dormant functionality.

Indicators

File (11)
»
Filename Hash Operations Category Severity
C:\Users\FD1HVy\AppData\Roaming\SubDir\Client.exe MD5: ee6b41b84b38df2ca1ababd9d3d8f4a0
SHA1: 2df1f670d50cb1736a3623dd04973de093e2d512
SHA256: fec56ffb3c5a61bffba235044da127eae17d9772dbd3817b8a5ce8cad0e93cb1
SSDeep: 6144:7V6bPXhLApfpTEmWBtEJA7+bM7dJ++reUHqznQa:hmhApymCeJA5LpHq7Qa
ImpHash: f34d5f2d4577ed6d9ceec516c1f5a744 		Access, Create Sample File
Malicious
C:\Users\FD1HVy\AppData\Roaming\Logs\05-09-2020 MD5: 57f556747fa372da6d5f3a16f4c25bc6
SHA1: 549317a07c3b29118c7b56cb12bccf85cf1caf66
SHA256: e44e53535fbefd8484138c9511f4ec99cbd118b39574915ec966f55e2816c511
SSDeep: 6:oTOquSAWslAl478pi9AVBhKWE9WMYIl1a9:kO4Are2nGBJE9hYIva9
ImpHash: - 		Access, Create, Write Dropped File
Unknown
C:\Users\FD1HVy\AppData\Roaming - Access
Not Available
C:\Users\FD1HVy\AppData\Roaming\Logs - Access, Create
Not Available
C:\Users\FD1HVy\AppData\Roaming\SubDir - Access, Create
Not Available
C:\Users\FD1HVy\AppData\Roaming\SubDir\Client.exe.config - Access
Not Available
C:\Users\FD1HVy\AppData\Roaming\SubDir\Client.exe:Zone.Identifier - Access, Delete
Not Available
C:\Users\FD1HVy\Desktop\office82.exe.config - Access
Not Available
C:\Users\FD1HVy\Desktop\office82.exe:Zone.Identifier - Access, Delete
Not Available
C:\WINDOWS\SysWOW64\schtasks.exe - Access
Not Available
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config - Access, Read
Not Available
Registry (24)
»
Registry Key Name Operations
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msoffice2 Access, Read, Write
HKEY_LOCAL_MACHINE Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI Access, Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Access
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework Access
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger Access, Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType Access, Read
HKEY_PERFORMANCE_DATA Access
Mutex (1)
»
Mutex Name Operations
QSR_MUTEX_udGwV1YU8X6NWw316P Access
Domain (1)
»
Domain Sources Severity
ip-api.com PCAP, Function Log
Unknown
URL (1)
»
URL Operations Category Severity
http://ip-api.com/json/ GET Contacted
Unknown
IP (2)
»
IP Protocols Sources
10.88.111.18 TCP PCAP, Function Log
208.95.112.1 HTTP, DNS, TCP PCAP, Function Log
Export to TXT Export to JSON
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image