Malware Analysis Report

2024-10-23 21:32

Sample ID 220521-ngz16sghbk
Target ea1d486ee6b3c2dd96db4f2bc1236f4c40d2b7d3a8a060f3348fab00c98832db
SHA256 ea1d486ee6b3c2dd96db4f2bc1236f4c40d2b7d3a8a060f3348fab00c98832db
Tags
masslogger collection ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea1d486ee6b3c2dd96db4f2bc1236f4c40d2b7d3a8a060f3348fab00c98832db

Threat Level: Known bad

The file ea1d486ee6b3c2dd96db4f2bc1236f4c40d2b7d3a8a060f3348fab00c98832db was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware rezer0 spyware stealer

MassLogger log file

MassLogger Main Payload

MassLogger

ReZer0 packer

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 11:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 11:22

Reported

2022-05-21 11:43

Platform

win7-20220414-en

Max time kernel

124s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1828 set thread context of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1828 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1828 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1828 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1828 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1828 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LCdHbEA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58EA.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 mail.mytravelexplorer.com udp
GB 89.187.85.6:587 mail.mytravelexplorer.com tcp

Files

memory/1828-54-0x00000000013C0000-0x000000000149E000-memory.dmp

memory/1828-55-0x0000000000380000-0x0000000000396000-memory.dmp

memory/1828-56-0x0000000005230000-0x00000000052E0000-memory.dmp

memory/844-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp58EA.tmp

MD5 3b40d727fd57e3e2fc340852cb6d420c
SHA1 8c7264b053d107aea4fabb49c22138e976cabe54
SHA256 55fbfb605c00ea11a54060559712c80cdf2a92c5c678a9ee02bcde0721baeeee
SHA512 d94f8e156ad52aa9b3ef382df7be2ed48194b908afde4b916c0f4a0fd5997369ba1bbb3c073759720e5071872b33ab586e3f910a14cb7422869dffda9b588dda

memory/288-59-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-60-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-62-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-63-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-64-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-65-0x00000000004A309E-mapping.dmp

memory/288-67-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-69-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/288-70-0x0000000000870000-0x00000000008B4000-memory.dmp

memory/288-71-0x0000000075741000-0x0000000075743000-memory.dmp

memory/288-72-0x00000000004B0000-0x00000000004F0000-memory.dmp

memory/288-73-0x0000000004FC0000-0x0000000004FD4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 11:22

Reported

2022-05-21 11:44

Platform

win10v2004-20220414-en

Max time kernel

168s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1732 set thread context of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe
PID 1732 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LCdHbEA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase Order_pdf.exe

"{path}"

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 54.91.59.199:80 api.ipify.org tcp
US 8.8.8.8:53 mail.mytravelexplorer.com udp
GB 89.187.85.6:587 mail.mytravelexplorer.com tcp

Files

memory/1732-130-0x0000000000F10000-0x0000000000FEE000-memory.dmp

memory/1732-131-0x00000000059A0000-0x0000000005A32000-memory.dmp

memory/1732-132-0x0000000005A90000-0x0000000005B2C000-memory.dmp

memory/1732-133-0x0000000007A40000-0x0000000007FE4000-memory.dmp

memory/3908-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4D9E.tmp

MD5 af1c765462d92d26fa7922f175b523c5
SHA1 366766936b9c9280a0611a565c9b7bff7231fadb
SHA256 c9fc3469264cef0e02823cc831d6359e82ce1120fd0612042d89833154d5f3d6
SHA512 c34cf1a6578829db406c5ff2655ace76cc8c87baab5cc90d4e65355eefb287bdec815ee8d9bc4f52f0f8291591c0d5accc31127938093a2b2b45e32903f3deed

memory/360-136-0x0000000000000000-mapping.dmp

memory/360-137-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/360-138-0x0000000005430000-0x0000000005496000-memory.dmp

memory/360-139-0x0000000006F90000-0x0000000006F9A000-memory.dmp

memory/360-140-0x0000000008210000-0x0000000008260000-memory.dmp