Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-nfp5ksggdp
Target 2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48
SHA256 2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48
Tags
masslogger collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48

Threat Level: Known bad

The file 2b28effca2feb3231324016122924a7873e11d4b0bc3a45467c645d2a73b0d48 was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware spyware stealer

MassLogger log file

MassLogger

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_office_path

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:20

Reported

2022-05-21 11:42

Platform

win7-20220414-en

Max time kernel

152s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 880 set thread context of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 880 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSRQyICPZwKer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1A9.tmp"

C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/880-54-0x0000000000BF0000-0x0000000000CCE000-memory.dmp

memory/880-55-0x0000000000580000-0x000000000058A000-memory.dmp

memory/880-56-0x00000000058A0000-0x0000000005960000-memory.dmp

memory/880-57-0x0000000005C60000-0x0000000005D18000-memory.dmp

memory/1780-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE1A9.tmp

MD5 bc61a7afe6e32fc606e4725d18d2758a
SHA1 fae7a2211494033cfdf24737d120d97b75a128d9
SHA256 9c45677d92991b72a33710b757616dd5ef5a3631a303f87371387ee2be4cc5fa
SHA512 c72d0ae07fe39ffb5b87a0a54f09c81439be5b2658ff01909cc39c84502ce85d00d38420d537a70e6d14229bc8fd206a84e26d8546bceda7b0cc6e2f01428291

memory/1112-60-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-61-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-63-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-64-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-65-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-66-0x00000000004B2EDE-mapping.dmp

memory/1112-68-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-70-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1112-71-0x0000000004400000-0x0000000004478000-memory.dmp

memory/1112-72-0x0000000075711000-0x0000000075713000-memory.dmp

memory/1112-73-0x0000000004525000-0x0000000004536000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:20

Reported

2022-05-21 11:41

Platform

win10v2004-20220414-en

Max time kernel

122s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3996 set thread context of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3996 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 3996 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe
PID 868 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe C:\Windows\SysWOW64\cmd.exe
PID 1152 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 5008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSRQyICPZwKer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp"

C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\order 2020.pdf.exe'

Network

Country Destination Domain Proto
US 13.89.178.26:443 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp

Files

memory/3996-130-0x0000000000D20000-0x0000000000DFE000-memory.dmp

memory/3996-131-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

memory/3996-132-0x0000000005C30000-0x0000000005CC2000-memory.dmp

memory/220-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE6F5.tmp

MD5 9102c19eefd948a84ed181429bfae74f
SHA1 7f9aa98c8fdd29141ab8241038b4d3a8005b631f
SHA256 e24e1885e275c4bbecff6dacfd5e1cbb23a8775f1c3634645e07a2d7f061b089
SHA512 570583637114680a097d1ba8de91afe37d4edaa6f5e9c360ed9c7f14ac1b542ee2ceac57488ff8726f71b28fe9d4a666105dfe24f6d91a1357a69944dff5db0b

memory/3924-135-0x0000000000000000-mapping.dmp

memory/4508-136-0x0000000000000000-mapping.dmp

memory/868-137-0x0000000000000000-mapping.dmp

memory/868-138-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order 2020.pdf.exe.log

MD5 ad1c7f6525cfeb54c0487efd38b0e26c
SHA1 ed3da94723ac7e3828a9e93d68418bb810592f3b
SHA256 0a534a3d0fa82e6a427164c5f6e702cac7e4afc9967af9bc5ddba4f84ab33276
SHA512 48d625e6be5391d91d95c2850226fe39bb2411cb72139797699cfe126e6b066182e83950a8ea67e63b64a66b0d45f58d8bc97cab0363d55c2fd88c0d1d28009c

memory/868-140-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/868-141-0x0000000005520000-0x0000000005586000-memory.dmp

memory/1152-142-0x0000000000000000-mapping.dmp

memory/5008-143-0x0000000000000000-mapping.dmp

memory/5008-144-0x00000000022F0000-0x0000000002326000-memory.dmp

memory/5008-145-0x0000000005000000-0x0000000005628000-memory.dmp

memory/5008-146-0x0000000004C60000-0x0000000004C82000-memory.dmp

memory/5008-147-0x0000000004D00000-0x0000000004D66000-memory.dmp

memory/5008-148-0x0000000005C80000-0x0000000005C9E000-memory.dmp

memory/5008-149-0x0000000007380000-0x00000000079FA000-memory.dmp

memory/5008-150-0x00000000061B0000-0x00000000061CA000-memory.dmp

memory/5008-151-0x0000000006F00000-0x0000000006F96000-memory.dmp

memory/5008-152-0x0000000006280000-0x00000000062A2000-memory.dmp