Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-cetktsdgd4
Target e0aa6c2f673df8b8a98d3df001a392914384b5adf043652f11b123a6a2c49237
SHA256 e0aa6c2f673df8b8a98d3df001a392914384b5adf043652f11b123a6a2c49237
Tags
masslogger collection ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0aa6c2f673df8b8a98d3df001a392914384b5adf043652f11b123a6a2c49237

Threat Level: Known bad

The file e0aa6c2f673df8b8a98d3df001a392914384b5adf043652f11b123a6a2c49237 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware rezer0 spyware stealer

MassLogger

MassLogger log file

MassLogger Main Payload

ReZer0 packer

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_office_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:59

Reported

2022-05-21 03:04

Platform

win7-20220414-en

Max time kernel

100s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Product_List.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1396 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1396 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1396 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1396 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 1396 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Product_List.exe

"C:\Users\Admin\AppData\Local\Temp\Product_List.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjTdXj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp456A.tmp"

C:\Users\Admin\AppData\Local\Temp\Product_List.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1396-54-0x0000000000B90000-0x0000000000C62000-memory.dmp

memory/1396-55-0x0000000000230000-0x0000000000246000-memory.dmp

memory/1396-56-0x00000000009F0000-0x0000000000AA0000-memory.dmp

memory/1096-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp456A.tmp

MD5 c8fa65eb5d9ad443518e498cef199afa
SHA1 4b846708bf31d706041dda5b35e20a120566a3b7
SHA256 d4c61d3afc498b50b05f37a64f6e050a039773ba17d3f3e1c04a644f3fa83d51
SHA512 12e9844efca8695803b1cf5c3ae413659af6ef8a4743921eb40db5b97e86535b01fabcd383cd5f4fe12f2db39f4c3b1a9b21c2d1bc1eb42fe0cf64aa2c3b2ea0

memory/1992-59-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-60-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-62-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-64-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-65-0x00000000004A302E-mapping.dmp

memory/1992-67-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-69-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1992-70-0x00000000004B0000-0x00000000004F4000-memory.dmp

memory/1992-71-0x0000000075C71000-0x0000000075C73000-memory.dmp

memory/1992-72-0x0000000004DB5000-0x0000000004DC6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:59

Reported

2022-05-21 03:05

Platform

win10v2004-20220414-en

Max time kernel

160s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Product_List.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3128 set thread context of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 3128 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 3128 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Windows\SysWOW64\schtasks.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe
PID 3128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Product_List.exe C:\Users\Admin\AppData\Local\Temp\Product_List.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Product_List.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Product_List.exe

"C:\Users\Admin\AppData\Local\Temp\Product_List.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tjTdXj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBC5.tmp"

C:\Users\Admin\AppData\Local\Temp\Product_List.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.9:443 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/3128-130-0x00000000003D0000-0x00000000004A2000-memory.dmp

memory/3128-131-0x0000000004D50000-0x0000000004DEC000-memory.dmp

memory/3128-132-0x0000000004E90000-0x0000000004F22000-memory.dmp

memory/3128-133-0x0000000006E80000-0x0000000007424000-memory.dmp

memory/2920-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFBC5.tmp

MD5 ce5789f4b25587f50474253daf92f966
SHA1 a938370c29d63cd1a0c075430626def49f6a9103
SHA256 a79343b1739b182be3d628669255543b454e585d126b65319bdf4bcca8aaf8e0
SHA512 ed216a53d2bd59d36b6b38738a3a4df2161b7fb5800c769d954d1d6b9ccd35d510f8485ee12790cc4f623a52a36e7432b2ce68100dd7e96f064a53258420b59e

memory/1080-136-0x0000000000000000-mapping.dmp

memory/1080-137-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Product_List.exe.log

MD5 ab4c71d3ff6255edd4e5c1e09540f49e
SHA1 22e06bf4e258741b5df918061871cba998c50cea
SHA256 1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a
SHA512 8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

memory/1080-139-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/1080-140-0x00000000070B0000-0x00000000070BA000-memory.dmp

memory/1080-141-0x00000000079D0000-0x0000000007A20000-memory.dmp