Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-d1r5kabfej
Target 00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c
SHA256 00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c
Tags
masslogger collection ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c

Threat Level: Known bad

The file 00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware rezer0 spyware stealer

MassLogger

MassLogger log file

MassLogger Main Payload

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

outlook_office_path

outlook_win_path

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:28

Reported

2022-05-21 05:11

Platform

win7-20220414-en

Max time kernel

151s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1312 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe

"C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD1D1.tmp"

C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.yandex.ru udp
RU 77.88.21.158:587 smtp.yandex.ru tcp
US 8.8.8.8:53 repository.certum.pl udp
NL 104.110.191.15:80 repository.certum.pl tcp

Files

memory/1312-54-0x00000000008E0000-0x00000000009DE000-memory.dmp

memory/1312-55-0x0000000005DF0000-0x0000000005ECC000-memory.dmp

memory/1312-56-0x0000000000490000-0x00000000004A4000-memory.dmp

memory/1312-57-0x00000000060E0000-0x0000000006198000-memory.dmp

memory/1788-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD1D1.tmp

MD5 12105f8229d31fdf724e48a80ab8254a
SHA1 f288bf2351189b468f046c11bdf9c5d6f0e641b4
SHA256 b0ceacfa6c56abf7e73f7560e4af6d8df2cc865a7098a375205187d3ea6e279e
SHA512 d4b34640b1e08a561403d094ec5cc87c4b0dbe9a3497590009fcb3dfd75a924b9a504b3a59a817996f8afe2844d3e35a6d2ea059a88de538729cf3e816f59d30

memory/696-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-64-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-65-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-66-0x00000000004AC9AE-mapping.dmp

memory/696-68-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-70-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-72-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-74-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-76-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-78-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-80-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-82-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-84-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-86-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-88-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-90-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-92-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-94-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-96-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-98-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-100-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-102-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-104-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-106-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-108-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-110-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-112-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-114-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-116-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-118-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-120-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-122-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-124-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/696-587-0x0000000000710000-0x0000000000754000-memory.dmp

memory/696-589-0x0000000004C45000-0x0000000004C56000-memory.dmp

memory/696-590-0x0000000002310000-0x0000000002324000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:28

Reported

2022-05-21 05:11

Platform

win10v2004-20220414-en

Max time kernel

146s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 1848 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe
PID 3312 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3224 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe

"C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hffwylP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4997.tmp"

C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe'

Network

Country Destination Domain Proto
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp

Files

memory/1848-130-0x0000000000400000-0x00000000004FE000-memory.dmp

memory/1848-131-0x000000000AC90000-0x000000000B234000-memory.dmp

memory/1848-132-0x000000000A880000-0x000000000A912000-memory.dmp

memory/1848-133-0x000000000A840000-0x000000000A84A000-memory.dmp

memory/1848-134-0x000000000E030000-0x000000000E0CC000-memory.dmp

memory/4556-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4997.tmp

MD5 10e1face4ffdc6121038160de5dfb2e5
SHA1 2e30a7f9112f7a2a9523552639d86ac37c654273
SHA256 4ce635aba88296abd1f9b93a5d4afda4c2b86b72b9fcd39f9baec3d7a8bbcfc5
SHA512 e065ea15dc9bee086707abf38042705f797d012a2495acf5abc23ae7a5271b36484f9293b4477ab4c307016f8d1ff57dd87de646081cce7597ea63a4d5e3d975

memory/3312-137-0x0000000000000000-mapping.dmp

memory/3312-138-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-140-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-142-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-144-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-146-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-148-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-150-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-152-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-154-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-156-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-158-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-160-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-162-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-164-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-166-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-168-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-170-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-174-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-176-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-172-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-178-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-180-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-182-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-184-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-186-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-188-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-190-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-192-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-194-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-196-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-198-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-200-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3312-655-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/3224-656-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00068dc51db13086db2a9fc776a55a946c699f1a225ee6595ae6b91ea469356c.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/1728-658-0x0000000000000000-mapping.dmp

memory/1728-659-0x0000000004D20000-0x0000000004D56000-memory.dmp

memory/1728-660-0x0000000005450000-0x0000000005A78000-memory.dmp

memory/1728-661-0x0000000005410000-0x0000000005432000-memory.dmp

memory/1728-662-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/1728-663-0x00000000062F0000-0x000000000630E000-memory.dmp