Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-d47pesgha6
Target 0410a74a0b1bd7b7a626e2c1efb3c7e91c6f0571a42dd447c86a4afe382ba18b
SHA256 0410a74a0b1bd7b7a626e2c1efb3c7e91c6f0571a42dd447c86a4afe382ba18b
Tags
masslogger ransomware rezer0 spyware stealer collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0410a74a0b1bd7b7a626e2c1efb3c7e91c6f0571a42dd447c86a4afe382ba18b

Threat Level: Known bad

The file 0410a74a0b1bd7b7a626e2c1efb3c7e91c6f0571a42dd447c86a4afe382ba18b was found to be: Known bad.

Malicious Activity Summary

masslogger ransomware rezer0 spyware stealer collection

MassLogger log file

MassLogger

ReZer0 packer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

outlook_win_path

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 03:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 03:34

Reported

2022-05-21 05:20

Platform

win7-20220414-en

Max time kernel

59s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1980 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1616 set thread context of 1524 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1980 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 1732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1628 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1628 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1628 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 800 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 800 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 800 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 800 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 800 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 800 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 800 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 800 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1616 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 1616 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC70.tmp"

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC39E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6FF.tmp"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp

Files

memory/1980-54-0x00000000002B0000-0x0000000000368000-memory.dmp

memory/1980-55-0x00000000768D1000-0x00000000768D3000-memory.dmp

memory/1980-56-0x00000000002A0000-0x00000000002A8000-memory.dmp

memory/1980-57-0x0000000005170000-0x000000000521E000-memory.dmp

memory/1120-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC70.tmp

MD5 ac6d80bf25675aefd5cc746dfbf63b04
SHA1 421facc246f710e1e0abc25c8f8f518890d149d6
SHA256 f580a5f04654984fd80701c64fd2339547db3f7b6fc4abafae20961c80921680
SHA512 1268c557f06e7b5b76cc0c94efdd88d342fa9f07edd94a6f691974dc58c69d1456baa255263ca57c95a370d9ae5274541c730140d83402f5b1d6fc1d0aea5602

memory/1732-60-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-61-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-63-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-64-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-65-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-66-0x00000000004A1A5E-mapping.dmp

memory/1732-68-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-70-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-72-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-74-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-76-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-78-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-80-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-82-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-84-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-86-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-88-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-90-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-92-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-94-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-96-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-98-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-100-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-102-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-104-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-108-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-106-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-110-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-112-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-114-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-116-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-118-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-120-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1732-122-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/1628-572-0x0000000000000000-mapping.dmp

memory/800-573-0x0000000000000000-mapping.dmp

memory/1668-574-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC39E.tmp.bat

MD5 c0129017e1f1dfd85de7e6fc11e8adc1
SHA1 b0a1b7edec8a5e7d2b47bf5e03cd67e62b8d70fe
SHA256 9b76f48a22b668bcbf36feb67bafa528009b3ff87d73b65d2a9fa42c47715762
SHA512 6b54f426fa7035703bfbc5fad3bef6f5df1729edfe2e8e713d77a45d7a274c0287ce1bbc74a5f68737c7dcfb9d9153b071e45b722d2bdb72046b3cacd9659622

memory/1028-576-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

memory/1616-579-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

memory/1616-581-0x0000000000260000-0x0000000000318000-memory.dmp

memory/1504-583-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD6FF.tmp

MD5 ac6d80bf25675aefd5cc746dfbf63b04
SHA1 421facc246f710e1e0abc25c8f8f518890d149d6
SHA256 f580a5f04654984fd80701c64fd2339547db3f7b6fc4abafae20961c80921680
SHA512 1268c557f06e7b5b76cc0c94efdd88d342fa9f07edd94a6f691974dc58c69d1456baa255263ca57c95a370d9ae5274541c730140d83402f5b1d6fc1d0aea5602

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

memory/1524-595-0x00000000004A1A5E-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

memory/1524-601-0x0000000000400000-0x00000000004A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79FE0CC911\Log.txt

MD5 dd4c9d18d412811d8c0da01d6b465703
SHA1 061cf7b8dcb6b0be2834c5795b2f5ec917791380
SHA256 5532fc69b2753a1a303a55945098f139570da207b7230857efa994f3759b3bc5
SHA512 bb6ff296e0893237b8ab92bec484e0f35956d0b45c7ef7fc2827e054ebf3763278d57e51d0190df61ba97ffbe08f7d26b8ec6aff0ec9eaee7008fb45b3cba5a6

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 03:34

Reported

2022-05-21 05:20

Platform

win10v2004-20220414-en

Max time kernel

132s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3484 set thread context of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 4756 set thread context of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 3484 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 3484 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\schtasks.exe
PID 3484 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 3484 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe
PID 2032 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3576 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3576 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3924 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3924 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3924 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3924 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 3924 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 3924 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe
PID 4756 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB99.tmp"

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe

"C:\Users\Admin\AppData\Local\Temp\NEW ORDER .exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAF5.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IapdeqiYxjrvsQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

"C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
NL 20.190.160.67:443 tcp
US 52.182.143.208:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
NL 20.190.160.136:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
NL 20.190.160.71:443 tcp
NL 20.190.160.129:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 mail.privateemail.com udp
US 198.54.122.135:587 mail.privateemail.com tcp
NL 20.190.160.75:443 tcp
NL 20.190.160.134:443 tcp

Files

memory/3484-130-0x0000000000AE0000-0x0000000000B98000-memory.dmp

memory/3484-131-0x0000000005A80000-0x0000000006024000-memory.dmp

memory/3484-132-0x0000000005570000-0x0000000005602000-memory.dmp

memory/3484-133-0x0000000005700000-0x000000000570A000-memory.dmp

memory/3484-134-0x00000000077C0000-0x000000000785C000-memory.dmp

memory/4528-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB99.tmp

MD5 04c33888a157708c2a0ad52d9ddfad53
SHA1 a016eebe11e1cb80db8e46ced14f810ffff3ce7f
SHA256 1784f131dcb5411b85b06ba1cba60e6bab81895a552db04cd7fab3e7af406b09
SHA512 040bbd69bf21c8163969d107e33a8fd9524e28bf3ee512caf4e68cdef73843f02a2f9037147436232e34626cb89b14de202c7b1cc5bcd09f57bee9bb087cffbb

memory/3460-137-0x0000000000000000-mapping.dmp

memory/5116-138-0x0000000000000000-mapping.dmp

memory/2032-139-0x0000000000000000-mapping.dmp

memory/2032-140-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-142-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-144-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-146-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-148-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-150-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-152-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-154-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-156-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-158-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-160-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-162-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-164-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-166-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-168-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-170-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-172-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-174-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-176-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-178-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-180-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-182-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-184-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-186-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-188-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-190-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-192-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-194-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-196-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-198-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-200-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-202-0x0000000000400000-0x00000000004A6000-memory.dmp

memory/2032-641-0x0000000006B60000-0x0000000006BC6000-memory.dmp

memory/3576-642-0x0000000000000000-mapping.dmp

memory/3924-643-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER .exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/5112-645-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAAF5.tmp.bat

MD5 18fc892a100ff2055e7277e19da9a04d
SHA1 b025c65a7fc311c8ec068b286268d554cd46dde9
SHA256 2cfbe402d4b49b686515398e5eb689991abba475ea884d6740c711273be9e937
SHA512 eeaed1f8e3337114bd7aee1cd0a1c22151d2b2199fdbd3a77fb6085056f6ef37056999f7b189effc72f1aef5cf7988bbb8f961c682b59d5edacf883e8cd23f0f

memory/4976-647-0x0000000000000000-mapping.dmp

memory/4756-648-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

memory/2364-651-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp

MD5 04c33888a157708c2a0ad52d9ddfad53
SHA1 a016eebe11e1cb80db8e46ced14f810ffff3ce7f
SHA256 1784f131dcb5411b85b06ba1cba60e6bab81895a552db04cd7fab3e7af406b09
SHA512 040bbd69bf21c8163969d107e33a8fd9524e28bf3ee512caf4e68cdef73843f02a2f9037147436232e34626cb89b14de202c7b1cc5bcd09f57bee9bb087cffbb

memory/3940-653-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

memory/4960-655-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VideoLAN\vlc.exe

MD5 e6f2ef791f0ec1869a975fa14248e8a1
SHA1 bca1cf7d10b095100273065d9e59fd1107afd353
SHA256 c77b479ead371d060f45186dc10d6bb2c9d32aac0275de27fab94b2f65a54500
SHA512 247b507bb4073e1a89f7078812ab993831923691cf6b40962b0685d96205281472f183b00ce122cd59a979fb3b45152a2a5bdb168de9d368ba2c1994c32a082b

C:\Users\Admin\AppData\Local\Temp\19E979543A\Log.txt

MD5 778aca6268a395ca519edf05ef7ebf66
SHA1 6a9460effda3d5f02e2445e0f01812fc2fe60456
SHA256 7dfec20687e2eee0a7ea24b7c1371cab87e21c6febacf82d104e12bf12203a64
SHA512 70967db5040ec24454e18cad007b66e4c2e5dc8c6b80e8fdb5394166ef1a2f78513126cd9f2ff4e5d843d5609e16cddc7e17764c8abb661f9c6bf4e5bc806098

memory/4960-1159-0x0000000007D30000-0x0000000007D80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3