Malware Analysis Report

2024-10-23 21:33

Sample ID 220521-pm9cgaaghr
Target 2a1433e205534494d75ae6b053fd6bbdbf46fa96513066ad1d871cf6ff2c65dc
SHA256 2a1433e205534494d75ae6b053fd6bbdbf46fa96513066ad1d871cf6ff2c65dc
Tags
masslogger agilenet collection ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a1433e205534494d75ae6b053fd6bbdbf46fa96513066ad1d871cf6ff2c65dc

Threat Level: Known bad

The file 2a1433e205534494d75ae6b053fd6bbdbf46fa96513066ad1d871cf6ff2c65dc was found to be: Known bad.

Malicious Activity Summary

masslogger agilenet collection ransomware spyware stealer

MassLogger log file

MassLogger

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 12:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 12:27

Reported

2022-05-21 12:38

Platform

win7-20220414-en

Max time kernel

85s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 892 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe

"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"

C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe

"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/892-54-0x0000000000010000-0x00000000001B2000-memory.dmp

memory/892-55-0x0000000076561000-0x0000000076563000-memory.dmp

memory/892-56-0x0000000000790000-0x00000000007B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/892-59-0x0000000002000000-0x000000000200A000-memory.dmp

memory/1980-60-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-61-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-63-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-64-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-66-0x00000000004B2FAE-mapping.dmp

memory/1980-68-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-67-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-72-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-75-0x0000000000320000-0x00000000003D8000-memory.dmp

memory/1980-76-0x0000000000A00000-0x0000000000A78000-memory.dmp

memory/1980-78-0x00000000008D5000-0x00000000008E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 12:27

Reported

2022-05-21 12:38

Platform

win10v2004-20220414-en

Max time kernel

160s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 388 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe
PID 3968 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4212 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe

"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"

C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe

"C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe' & exit

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Augustus Inkooporder .pdf______________________________________________________________________________.exe'

Network

Country Destination Domain Proto
US 67.24.169.254:80 tcp
GB 51.105.71.137:443 tcp
US 52.152.108.96:443 tcp
US 8.253.69.232:80 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 67.24.169.254:80 tcp
US 204.79.197.203:80 tcp
US 67.24.169.254:80 tcp
US 67.24.169.254:80 tcp
US 8.8.8.8:53 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/388-130-0x0000000000400000-0x00000000005A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c08e67e7-d17e-42f4-84a8-059771d01a58\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/388-132-0x0000000073B20000-0x0000000073BA9000-memory.dmp

memory/388-133-0x0000000005E70000-0x0000000006414000-memory.dmp

memory/388-134-0x00000000059A0000-0x0000000005A32000-memory.dmp

memory/3968-135-0x0000000000000000-mapping.dmp

memory/3968-137-0x0000000000630000-0x00000000006E8000-memory.dmp

memory/3968-138-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

memory/3968-139-0x0000000004D50000-0x0000000004DB6000-memory.dmp

memory/4212-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Augustus Inkooporder .pdf______________________________________________________________________________.exe.log

MD5 fc13935f3038bdde6cb484249fbff668
SHA1 a4c32013e6d59bf1eb1a5119456965de191e62b8
SHA256 de064c569a5f4edaf2da91d7bcb82bab06a35190b699cede1da0aa616a23d676
SHA512 5817275af0f8a48eb1e008d39f62fb3582db9a2d21a806e9f9ee36fbfd799fb17e91f0e3686f4b236724fe78f14ae7f40cd3755f0ec0fb6734ce42f996b798f7

memory/1004-142-0x0000000000000000-mapping.dmp

memory/1004-143-0x0000000004CF0000-0x0000000004D26000-memory.dmp

memory/1004-144-0x0000000005360000-0x0000000005988000-memory.dmp

memory/1004-145-0x00000000052E0000-0x0000000005302000-memory.dmp

memory/1004-146-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/1004-147-0x0000000006400000-0x000000000641E000-memory.dmp

memory/1004-148-0x0000000007CE0000-0x000000000835A000-memory.dmp

memory/1004-149-0x0000000006940000-0x000000000695A000-memory.dmp

memory/1004-150-0x0000000007660000-0x00000000076F6000-memory.dmp

memory/1004-151-0x0000000006A00000-0x0000000006A22000-memory.dmp