Malware Analysis Report

2024-10-23 21:33

Sample ID 220521-cd4dmsdga2
Target e3c6a1546ff708f99122b730baeba4692769e0efeb9a3ccc58b215f9ab9fe8e8
SHA256 e3c6a1546ff708f99122b730baeba4692769e0efeb9a3ccc58b215f9ab9fe8e8
Tags
rezer0 masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3c6a1546ff708f99122b730baeba4692769e0efeb9a3ccc58b215f9ab9fe8e8

Threat Level: Known bad

The file e3c6a1546ff708f99122b730baeba4692769e0efeb9a3ccc58b215f9ab9fe8e8 was found to be: Known bad.

Malicious Activity Summary

rezer0 masslogger collection ransomware spyware stealer

MassLogger

MassLogger Main Payload

MassLogger log file

ReZer0 packer

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:58

Reported

2022-05-21 03:03

Platform

win7-20220414-en

Max time kernel

41s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe"

Signatures

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 1012 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

Network

N/A

Files

memory/1012-54-0x00000000002F0000-0x0000000000408000-memory.dmp

memory/1012-55-0x0000000000440000-0x0000000000448000-memory.dmp

memory/1012-56-0x0000000007E20000-0x0000000007ECE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:58

Reported

2022-05-21 03:03

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4224 set thread context of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4224 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe
PID 4224 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\PI 200000679 Rev 3_pdf.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
IE 20.50.80.210:443 tcp
NL 20.190.160.132:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
NL 20.190.160.4:443 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
NL 20.190.160.8:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
NL 20.190.160.134:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.6:443 tcp

Files

memory/4224-130-0x0000000000720000-0x0000000000838000-memory.dmp

memory/4224-131-0x0000000007F30000-0x00000000084D4000-memory.dmp

memory/4224-132-0x0000000007B60000-0x0000000007BF2000-memory.dmp

memory/4224-133-0x0000000007B40000-0x0000000007B4A000-memory.dmp

memory/4224-134-0x000000000BB00000-0x000000000BB9C000-memory.dmp

memory/1512-135-0x0000000000000000-mapping.dmp

memory/4388-136-0x0000000000000000-mapping.dmp

memory/4388-137-0x0000000000400000-0x00000000004A6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI 200000679 Rev 3_pdf.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/4388-140-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-142-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-144-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-146-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-148-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-150-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-152-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-154-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-156-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-158-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-160-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-162-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-164-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-166-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-168-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-170-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-172-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-174-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-176-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-178-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-180-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-182-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-184-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-186-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-188-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-190-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-192-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-194-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-196-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-198-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-200-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/4388-639-0x00000000063C0000-0x0000000006426000-memory.dmp

memory/4388-640-0x00000000080A0000-0x00000000080F0000-memory.dmp