Malware Analysis Report

2024-10-19 08:46

Sample ID 220521-pfejhsadfj
Target cdfbe574fd5d0be6ec09893c69bb550af33ff85b39019abcced1cf4d1ae6afba
SHA256 cdfbe574fd5d0be6ec09893c69bb550af33ff85b39019abcced1cf4d1ae6afba
Tags
masslogger collection ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdfbe574fd5d0be6ec09893c69bb550af33ff85b39019abcced1cf4d1ae6afba

Threat Level: Known bad

The file cdfbe574fd5d0be6ec09893c69bb550af33ff85b39019abcced1cf4d1ae6afba was found to be: Known bad.

Malicious Activity Summary

masslogger collection ransomware rezer0 spyware stealer

MassLogger

MassLogger log file

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 12:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 12:15

Reported

2022-05-21 12:31

Platform

win7-20220414-en

Max time kernel

152s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase List.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1928 set thread context of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 1928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase List.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\woUSvxLUnlfbH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3B0.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/1928-54-0x0000000000E20000-0x0000000000F00000-memory.dmp

memory/1928-55-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1928-56-0x0000000005470000-0x0000000005528000-memory.dmp

memory/1376-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA3B0.tmp

MD5 80916c371d03d25522437b1cab4237ae
SHA1 3fc1ed6712e0793a7a56591e8255e6af1ed55bb8
SHA256 5a773f9de2b7c3373fc2b58ec48a9f060cba250a221e577399ed631b49e9207e
SHA512 623878b8a5d3e766031e700e4e3e7f770c7c7b540e82f0497e1e52efebf6204a442d63f492cb26de02d0b2a35030c189d190a1aee2366fbff977576738db8deb

memory/944-59-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-60-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-62-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-63-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-64-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-65-0x00000000004AB6AE-mapping.dmp

memory/944-67-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-69-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-71-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-73-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-75-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-77-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-79-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-81-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-83-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-85-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-87-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-89-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-91-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-93-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-95-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-97-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-99-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-101-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-103-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-105-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-107-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-109-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-111-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-113-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-115-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-117-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-119-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-121-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-123-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/944-578-0x0000000000620000-0x0000000000664000-memory.dmp

memory/944-580-0x0000000000BB5000-0x0000000000BC6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 12:15

Reported

2022-05-21 12:30

Platform

win10v2004-20220414-en

Max time kernel

97s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Purchase List.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4052 set thread context of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4052 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 4052 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 4052 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Windows\SysWOW64\schtasks.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe
PID 4052 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\Purchase List.exe C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Purchase List.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

"C:\Users\Admin\AppData\Local\Temp\Purchase List.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\woUSvxLUnlfbH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp"

C:\Users\Admin\AppData\Local\Temp\Purchase List.exe

"{path}"

Network

Country Destination Domain Proto
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp
US 8.8.8.8:53 mail.tcsqatar.com udp
US 66.96.146.112:587 mail.tcsqatar.com tcp

Files

memory/4052-130-0x0000000000050000-0x0000000000130000-memory.dmp

memory/4052-131-0x0000000004AC0000-0x0000000004B5C000-memory.dmp

memory/4052-132-0x0000000004C00000-0x0000000004C92000-memory.dmp

memory/4052-133-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/1704-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp

MD5 5c0933335379dda5f1c4a0a96eb15ea9
SHA1 ab284bd63c99c31f5367d2bf5c340a60a2d720b8
SHA256 2224e28ab3d00891b9a51832b98ecb62084446ebea4ce1e224e79475cb25667e
SHA512 2bba4eabd550d84979e4fd9887a4e838e7dc697fdc43f4329de75cc5cd15ec7667855e2a6d5d77df595b866a2fb840627e4ba48d477841e6480b26effeac20f7

memory/1680-136-0x0000000000000000-mapping.dmp

memory/1680-137-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase List.exe.log

MD5 ab4c71d3ff6255edd4e5c1e09540f49e
SHA1 22e06bf4e258741b5df918061871cba998c50cea
SHA256 1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a
SHA512 8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

memory/1680-140-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-142-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-144-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-146-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-148-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-150-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-152-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-154-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-156-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-158-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-160-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-162-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-164-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-166-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-168-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-170-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-172-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-174-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-176-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-178-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-180-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-182-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-184-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-186-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-190-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-188-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-192-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-194-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-196-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-198-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-200-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1680-647-0x00000000053C0000-0x0000000005426000-memory.dmp

memory/1680-648-0x0000000006C40000-0x0000000006C4A000-memory.dmp

memory/1680-649-0x0000000007790000-0x00000000077E0000-memory.dmp