Malware Analysis Report

2025-03-15 03:51

Sample ID 230910-nqlj5sgg3y
Target b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
Tags
fatalrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4

Threat Level: Known bad

The file b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4 was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer rat

FatalRat

Fatal Rat payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 11:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 11:36

Reported

2023-09-10 11:38

Platform

win7-20230831-en

Max time kernel

120s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

"C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

"C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 df8588.pw udp
MU 156.236.70.27:443 df8588.pw tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
MU 156.236.70.27:443 df8588.pw tcp
HK 103.100.210.65:5858 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3D60.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar3ECA.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5977aee56cdf54943366ff1fe5a169dd
SHA1 e3a891859c771752c5b4e2d350f13ee60570b391
SHA256 3e4d7036b66d7a4f9dca645ed0675e799fbab7f647c23f3041d6cbbf7e911152
SHA512 e9a6e615385ee59d33d95ca5d502a9757e6c906770f4689e3b57a63ceda5d27722cf8aabea992dfd58884a011fc5202c1ec69a2349de58bb086c8c73de923352

memory/3040-81-0x00000000006C0000-0x00000000006F2000-memory.dmp

memory/3040-80-0x0000000010000000-0x0000000010031000-memory.dmp

memory/3040-85-0x0000000000700000-0x000000000072A000-memory.dmp

\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 842fae2dcafd878cebe3a7aed378c30f
SHA1 2d39e09f01c9007f02854b9fca293b4b70970d66
SHA256 7026d4e6f8b30a4821c1f9cd2c48a04e5c61136b9659e296a9d9293f49a5d053
SHA512 ad46716d2a949eeedb1a8a1dad0ed853c7622f20b072f7538b3a87842c315252f59225b12d1d64614dc78bf001a128ec4d94c310b77c72320082a880d4ecec66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 7f7b6e627c420dc066f923153f3aebc9
SHA1 494db108f11a8a964da9cb13c5e3e163626941fd
SHA256 86b3a07564492e56b6076e6eec95a7a146a660709025d10009291be6bde7f6f9
SHA512 6c7aa8a6642a414bd52b5b9b9d4feafa37b736b4d44057f9649c3084530a01f7b946067f7bb7c7f9b82e41ca90e574e87f14b3f7b431bd9d889eca97f211297d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D78689371D39E2B183BEA37F7313E

MD5 f0a84e34684536aa28353865eeb1b8eb
SHA1 1537e73198ddec46589eff66494481468b4bb8a6
SHA256 9c91595df518bba03ad5ab78f794b234d53b5affb088023aad76812375bf9b01
SHA512 f14cc3d2c6bf382cabce521a42947ec4fbe600a1a7e718c553a94a9e0381d5eceeb78400a31efc0626ea62935da5aaee132b991ca78e69af9ba2a989a3cf9df1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D78689371D39E2B183BEA37F7313E

MD5 835eda08ed9fa72e5aaf35f2560e8b1f
SHA1 92938db96156cf6ecb7f0ca396df4cc2f16cbe86
SHA256 e184b2757f5be3cb61c9e8f01549e789ab6cfbbe16ca59b3136e28f85d95ab9c
SHA512 78e62f6335705af9263bea463e7990f4bc4832961e23c7e43a3344d96f3d07b6b5e66e93c19617a29b3d64a0800cc51b7330d95ae6bf388e74ff637432b9348c

memory/2876-135-0x0000000000550000-0x000000000057A000-memory.dmp

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 11:36

Reported

2023-09-10 11:38

Platform

win10v2004-20230831-en

Max time kernel

90s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4272677097-406801653-1594978504-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

"C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

"C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 df8588.pw udp
MU 156.236.70.27:443 df8588.pw tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 27.70.236.156.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
MU 156.236.70.27:443 df8588.pw tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
HK 103.100.210.65:5858 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.210.100.103.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp

Files

memory/2644-9-0x0000000010000000-0x0000000010031000-memory.dmp

memory/2644-11-0x0000000003A70000-0x0000000003AA2000-memory.dmp

memory/2644-14-0x0000000003AB0000-0x0000000003ADA000-memory.dmp

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

MD5 074a292b0a1405cf35e5a9d6067f15ca
SHA1 5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256 b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512 b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 2b02ef635974f1452f0eac7697f4413d
SHA1 55171af955694cc72dc38c63dd340a7882645c92
SHA256 b9fab7eb4ab1814ecb5c556a9c134d2d589d5e2706f1b4fc9dcbb75343a2ef25
SHA512 437775326962761afadb7b949859a1750af4e695338708aef9cd875134cb9d22a573c83b73cbf4d3f16de568a612cfda2f250f98c9b1379f001c5e17c0891d6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D78689371D39E2B183BEA37F7313E

MD5 576b800b248ca6951707e45e43dac7f1
SHA1 1eb6d7d1ec350f45eb816c710cfa9fdfd064b609
SHA256 919f4ecfb158de03c46d0a46a7614074a266d0bb4d3112f851d34cde67a1c76f
SHA512 0879b430acad3a13e9b7cad303e3edf90c589c4a4631c5baf8e4b2af5cf25bef3631dbbc84ae7cb56a0df5068514d5cba324d3f018417c792438489945f8b776

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D78689371D39E2B183BEA37F7313E

MD5 f0a84e34684536aa28353865eeb1b8eb
SHA1 1537e73198ddec46589eff66494481468b4bb8a6
SHA256 9c91595df518bba03ad5ab78f794b234d53b5affb088023aad76812375bf9b01
SHA512 f14cc3d2c6bf382cabce521a42947ec4fbe600a1a7e718c553a94a9e0381d5eceeb78400a31efc0626ea62935da5aaee132b991ca78e69af9ba2a989a3cf9df1

memory/1116-39-0x0000000003600000-0x000000000362A000-memory.dmp