Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-cavx4agehn
Target f17eab7c6b86f2cbd0ef8ecab18cbbdd5ed2f6bec2bd99362c4746c859195ecd
SHA256 f17eab7c6b86f2cbd0ef8ecab18cbbdd5ed2f6bec2bd99362c4746c859195ecd
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f17eab7c6b86f2cbd0ef8ecab18cbbdd5ed2f6bec2bd99362c4746c859195ecd

Threat Level: Known bad

The file f17eab7c6b86f2cbd0ef8ecab18cbbdd5ed2f6bec2bd99362c4746c859195ecd was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

MassLogger Main Payload

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_win_path

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:52

Reported

2022-05-21 02:50

Platform

win7-20220414-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1964 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 1964 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FFFPxKmadUHiH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22FC.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 mail.mytravelexplorer.com udp
GB 89.187.85.6:587 mail.mytravelexplorer.com tcp

Files

memory/1964-54-0x0000000000920000-0x0000000000A32000-memory.dmp

memory/1964-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

memory/1964-56-0x0000000000310000-0x0000000000322000-memory.dmp

memory/1964-57-0x0000000007D10000-0x0000000007DC0000-memory.dmp

memory/1756-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp22FC.tmp

MD5 fd8ab92a915143ade1593446dbf10ceb
SHA1 9e09a96291e475132d8fb1e3799a412def295f82
SHA256 137987c2ff906f075f2d5e14498384a382823904d7297f8eaa75a7a8d3930b7d
SHA512 5b394a2980b46f5f30fd5d79285ac6792f429703f507c6de1efb9d39bb63482eb2f365407cc3ef35f8e69bdf57506f5ced0ab756e6a5f96394d9d45089f85586

memory/1356-60-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-61-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-64-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-65-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-66-0x00000000004A309E-mapping.dmp

memory/1356-68-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-70-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1356-71-0x00000000003B0000-0x00000000003F4000-memory.dmp

memory/1356-73-0x0000000004CB5000-0x0000000004CC6000-memory.dmp

memory/1356-74-0x0000000002050000-0x0000000002064000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:52

Reported

2022-05-21 02:49

Platform

win10v2004-20220414-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe
PID 3996 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FFFPxKmadUHiH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase order from Innovix Distribution_pdf.exe"

Network

Country Destination Domain Proto
US 13.89.178.26:443 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.mytravelexplorer.com udp
GB 89.187.85.6:587 mail.mytravelexplorer.com tcp

Files

memory/3996-130-0x0000000000310000-0x0000000000422000-memory.dmp

memory/3996-131-0x0000000005410000-0x00000000059B4000-memory.dmp

memory/3996-132-0x0000000004E60000-0x0000000004EF2000-memory.dmp

memory/3996-133-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

memory/3996-134-0x0000000008AB0000-0x0000000008B4C000-memory.dmp

memory/4516-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp

MD5 98771c98fc7f13c9b6d56e944a973dc8
SHA1 87c61911345b5065052c222717cd3fc179adec11
SHA256 a5b0b4bc0cec3323ad6d10880b81c040953b7fedac5332fd9a80ebd7706f6156
SHA512 c3a419866e1b201c6aa8b66a37944f037203970578d5abef221ace9bb345ba51143b900c9d392669795b17a8ceeaf340d10298b793a9dabb20669fc0ee030848

memory/548-137-0x0000000000000000-mapping.dmp

memory/4756-138-0x0000000000000000-mapping.dmp

memory/400-139-0x0000000000000000-mapping.dmp

memory/4792-140-0x0000000000000000-mapping.dmp

memory/4792-141-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/4792-142-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/4792-143-0x0000000008770000-0x00000000087C0000-memory.dmp