Malware Analysis Report

2025-01-18 04:58

Sample ID 220329-2brdqscbb2
Target cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87
SHA256 cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87

Threat Level: Known bad

The file cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87 was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger Main Payload

MassLogger

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-29 22:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-29 22:24

Reported

2022-04-01 00:48

Platform

win7-20220331-en

Max time kernel

89s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2012 set thread context of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2012 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1256 wrote to memory of 1244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1256 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 1564 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1564 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1564 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1564 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe
PID 1564 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe

"C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eqOznKoNHJb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF97C.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn Firefox.exe /tr '"C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe"' & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn Firefox.exe /tr '"C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe"'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp77FE.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe

"C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe"

Network

N/A

Files

memory/2012-54-0x0000000000FA0000-0x0000000001104000-memory.dmp

memory/2012-55-0x0000000000550000-0x000000000056C000-memory.dmp

memory/2012-56-0x0000000007F60000-0x0000000008012000-memory.dmp

memory/1280-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF97C.tmp

MD5 22a78f22b48fa1bd9279c41f6156171d
SHA1 70650102dcdbaa8785e34f106e87589214d568f3
SHA256 90d475e9742a189a21a24a519eecc5bdd03b25b000db57f5c2ff46c1f510e9eb
SHA512 87e094b238093e59408fa5e0bb9978bf424d6dd13f535fa781f5dfbfe16f5e829a9536339838d80d43f549fec1eddf8a34c31a1df650fc3a4bb88e2e65b32033

memory/1256-59-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1256-60-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1256-63-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1256-62-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1256-65-0x0000000000481B0E-mapping.dmp

memory/1256-64-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1256-67-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1256-69-0x0000000000400000-0x0000000000486000-memory.dmp

memory/1244-70-0x0000000000000000-mapping.dmp

memory/1256-71-0x0000000002035000-0x0000000002046000-memory.dmp

memory/1244-72-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

memory/1712-73-0x0000000000000000-mapping.dmp

memory/1780-74-0x0000000000000000-mapping.dmp

memory/1564-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp77FE.tmp.bat

MD5 9d094b4097c03d1df4be21ba7798c097
SHA1 724162388bee4192ac21db773cea02468a570878
SHA256 ede91006064ebcfe27db7f24b681b166d366e7f6da694d7ac5b90e35e205e794
SHA512 1f6a94158d5822f697b5e878784eb72352d272f872bfeba962ecc45a52510055fabc74facf48ee469fea702d424c0202f1e50748ec767da28cb7a658827f6f9d

memory/936-77-0x0000000000000000-mapping.dmp

memory/1244-78-0x0000000074D20000-0x00000000752CB000-memory.dmp

memory/1244-79-0x00000000024B2000-0x00000000024B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

\Users\Admin\AppData\Roaming\Firefox\Firefox.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1948-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Firefox\Firefox.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1948-84-0x00000000000A0000-0x00000000000AE000-memory.dmp

memory/1948-85-0x0000000000550000-0x0000000000570000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-29 22:24

Reported

2022-04-01 00:47

Platform

win10v2004-20220331-en

Max time kernel

76s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2900 set thread context of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4520 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe

"C:\Users\Admin\AppData\Local\Temp\cdcca14762350631687767fbf582ddbb3c9a84fbae2235d308b8e1fa2077af87.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eqOznKoNHJb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp68BC.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'

Network

Country Destination Domain Proto
FI 62.115.252.112:80 tcp
US 104.208.16.88:443 tcp
SE 178.79.212.129:80 tcp
SE 178.79.212.129:80 tcp
SE 178.79.212.129:80 tcp
US 204.79.197.203:80 tcp

Files

memory/2900-124-0x0000000000840000-0x00000000009A4000-memory.dmp

memory/2900-125-0x0000000007CF0000-0x0000000008294000-memory.dmp

memory/2900-126-0x0000000007820000-0x00000000078B2000-memory.dmp

memory/2900-127-0x00000000079C0000-0x00000000079CA000-memory.dmp

memory/2900-128-0x000000000A410000-0x000000000A93C000-memory.dmp

memory/2900-129-0x000000000AC10000-0x000000000ACAC000-memory.dmp

memory/1296-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp68BC.tmp

MD5 03690d6cd336a0ec84ad21b590260d33
SHA1 ba93ee011fee9fecba9bd231080373bcc6d92713
SHA256 3f5666af11b64182409ddcc83f2e96eef69c2cc8e2ec12c04ee064f7c8d8a00d
SHA512 42bdb8a204f1864b36e510b044d134d5cb87effa13b7c0f492389aa6a027dbf6d16d009d29efcc0e1ebb9fcef5734e3dfa831a1d88ad541aee5c9f7defe41884

memory/4520-132-0x0000000000000000-mapping.dmp

memory/4520-133-0x0000000000400000-0x0000000000486000-memory.dmp

memory/4520-134-0x0000000005860000-0x00000000058C6000-memory.dmp

memory/2160-135-0x0000000000000000-mapping.dmp

memory/2160-136-0x0000000002890000-0x00000000028C6000-memory.dmp

memory/2160-137-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/2160-138-0x00000000053E0000-0x0000000005402000-memory.dmp

memory/2160-139-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/2160-140-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/2160-141-0x0000000004DF5000-0x0000000004DF7000-memory.dmp

memory/2160-142-0x0000000007AC0000-0x000000000813A000-memory.dmp

memory/2160-143-0x0000000006680000-0x000000000669A000-memory.dmp

memory/2160-144-0x00000000067E0000-0x0000000006876000-memory.dmp

memory/2160-145-0x0000000006770000-0x0000000006792000-memory.dmp