Malware Analysis Report

2024-12-01 02:55

Sample ID 241108-lfw7sazfjb
Target Pedido de Cotação-241107_Pdf.bat.exe
SHA256 af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af42e687e09cde0d0244260e147d8a8d6d6d72122720ba86bbffc162343eff3c

Threat Level: Known bad

The file Pedido de Cotação-241107_Pdf.bat.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

VIPKeylogger

Vipkeylogger family

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 09:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 09:29

Reported

2024-11-08 09:31

Platform

win10v2004-20241007-en

Max time kernel

126s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4272 set thread context of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4272 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 4272 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 4272 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 4272 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

"C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oqRwcWctcQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oqRwcWctcQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp172.tmp"

C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

"C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/4272-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/4272-1-0x0000000000B40000-0x0000000000C1C000-memory.dmp

memory/4272-2-0x0000000005B30000-0x00000000060D4000-memory.dmp

memory/4272-3-0x0000000005620000-0x00000000056B2000-memory.dmp

memory/4272-4-0x0000000005610000-0x000000000561A000-memory.dmp

memory/4272-6-0x0000000005870000-0x000000000590C000-memory.dmp

memory/4272-5-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4272-7-0x0000000005B00000-0x0000000005B1C000-memory.dmp

memory/4272-8-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/4272-9-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/4272-10-0x0000000002E80000-0x0000000002F0C000-memory.dmp

memory/2968-15-0x0000000002A60000-0x0000000002A96000-memory.dmp

memory/2968-17-0x0000000005540000-0x0000000005B68000-memory.dmp

memory/2968-16-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2968-18-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/1700-19-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/1700-20-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2968-21-0x0000000074D00000-0x00000000754B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp172.tmp

MD5 afafe8d169d063507c1164339dcf5b02
SHA1 9a02b33cb7694d3eacbbfc3f8048de1e58565dc9
SHA256 f8c58a31929dee4af1cef17d10c51efd365da4c4d56d32eddf0fb0a60d69c825
SHA512 e555f879cb1cf81adcf8ba4fcd67757dc470fde1ad22a2d01ec22f9d254833e0962154ea5d5a8017a60e696eb15c27b097e21c96c8dc5a6fb1ea199544071e0a

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ion3a2pb.v14.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3604-32-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2968-30-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/2968-31-0x0000000005C80000-0x0000000005CE6000-memory.dmp

memory/2968-29-0x0000000005B70000-0x0000000005B92000-memory.dmp

memory/2968-46-0x0000000005CF0000-0x0000000006044000-memory.dmp

memory/2968-47-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/4272-49-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2968-48-0x0000000006330000-0x000000000637C000-memory.dmp

memory/1700-50-0x0000000006A60000-0x0000000006A92000-memory.dmp

memory/1700-51-0x000000006F8D0000-0x000000006F91C000-memory.dmp

memory/1700-62-0x0000000007660000-0x000000000767E000-memory.dmp

memory/2968-61-0x000000006F8D0000-0x000000006F91C000-memory.dmp

memory/2968-72-0x00000000074F0000-0x0000000007593000-memory.dmp

memory/2968-73-0x0000000007C70000-0x00000000082EA000-memory.dmp

memory/1700-74-0x00000000077B0000-0x00000000077CA000-memory.dmp

memory/1700-75-0x0000000007820000-0x000000000782A000-memory.dmp

memory/2968-76-0x00000000078A0000-0x0000000007936000-memory.dmp

memory/2968-77-0x0000000007820000-0x0000000007831000-memory.dmp

memory/1700-78-0x00000000079E0000-0x00000000079EE000-memory.dmp

memory/2968-79-0x0000000007870000-0x0000000007884000-memory.dmp

memory/1700-80-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/1700-81-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 940f225b68775c24b1b03082ae103cc2
SHA1 bcd9bed8a59d189167b342466451f3842fe3f751
SHA256 5e8be40617921c16251a0d64ec35302235eaeeab2c3ef1552ad7cf2d3cd8c3fc
SHA512 20843a74e6811abb6de0afd3e2bd436f4acb45632946179d18903c6daeb85e4e8a82c6c3315d97386a87484ca3914b3d7d5656bf62b7e60172147f0c1bd62ea7

memory/1700-87-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2968-88-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3604-89-0x0000000006980000-0x0000000006B42000-memory.dmp

memory/3604-90-0x0000000006820000-0x0000000006870000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 09:29

Reported

2024-11-08 09:31

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 824 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 824 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Windows\SysWOW64\schtasks.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe
PID 824 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

"C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oqRwcWctcQ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oqRwcWctcQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1796.tmp"

C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe

"C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação-241107_Pdf.bat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/824-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/824-1-0x0000000001220000-0x00000000012FC000-memory.dmp

memory/824-2-0x0000000074CB0000-0x000000007539E000-memory.dmp

memory/824-3-0x00000000004B0000-0x00000000004CC000-memory.dmp

memory/824-4-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/824-5-0x0000000074CB0000-0x000000007539E000-memory.dmp

memory/824-6-0x00000000003F0000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1796.tmp

MD5 64d11c649aa9bd9409a2c9ac0f37a548
SHA1 3b9af8dce123a114bbcce296e3e31589941ae7cb
SHA256 5e45750c01a1519c8bf1994cab041a7956b9fbae8ac31146475510365d9519d3
SHA512 bfd9ed766c7e70bcd73d4ad344c27b01b3f23233c55657407665737955e67a5f0b63e0716902be140a564c9ac11227b54f61af4050ac4c66d3947045ddeb7372

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 898789bb99529f7058deef0a447babcc
SHA1 677011f990732b5419f01ea0fd8a3d44e7a72d9d
SHA256 e0dc73ccc63a647266676083cf236a1e372da0d4a81f8fc894ec98acdc177ec6
SHA512 3d91332cb94668497c06f06e5e84e587bb20be9d0816828295b2ba54ec3ff6162d2eb1a3fff1cfe4b8860943a62190e165be6fe230802473463c283043c4468d

memory/2648-19-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2648-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2648-31-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2648-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2648-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2648-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2648-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/824-32-0x0000000074CB0000-0x000000007539E000-memory.dmp