Analysis Overview
SHA256
78dd9812c391c45f55ae45735371b6ac7d9f84aba107da824895be3b1d3250e1
Threat Level: Known bad
The file ad49dd256adedfa2be9188ec3f68cb75.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RisePro
PrivateLoader
RedLine
SmokeLoader
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of local email clients
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
outlook_office_path
Modifies system certificate store
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:50
Reported
2023-12-11 03:53
Platform
win7-20231129-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93A8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3008 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93A8.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe
"C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
C:\Users\Admin\AppData\Local\Temp\93A8.exe
C:\Users\Admin\AppData\Local\Temp\93A8.exe
Network
| Country | Destination | Domain | Proto |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
| MD5 | a9f0755518f7b32840de5ee0a96e20e4 |
| SHA1 | df640c0b6c99529a67befc9fae50141e4c176ebb |
| SHA256 | adc0697873fb5f526c9edd475f7b4bfd3556346f7e1cfe2b30dcdf751edff5b4 |
| SHA512 | 8f854804552bd1178aa4820f8be7d1175f83469f20d56526dcad3a81527b10834dee8ab44ecca46d9084a59af79887af9d19c7c7acdf8dbac01df65e74798d78 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
| MD5 | 522322c35e5b0ad7e5c7355f502d398f |
| SHA1 | f7ca9fd1cd87e6c80906505c2d8159ca39ba6ad3 |
| SHA256 | 509bf6aac2dc07e76eb2e5e5ea25eb72fc7e6c0964d8a1f4422bb0c40c82a1ae |
| SHA512 | 8d841a346db1c8886059a779be04546662af70bd65abe8a10aa1b4934810034586c219b4ff835a439a14c8c840323812bfc46f1208c2f25ce300d577f9d97c4e |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | 738a0438f8e65be092450d364972cf9b |
| SHA1 | eb2f34f1422a87658defdc0da7f4f7955d78d670 |
| SHA256 | 10b09a992ce7b644fefd0214ad22eb7cef7bf5dc942d4282a47cbba1038ab846 |
| SHA512 | 4eb50d8741070444f2299b018cf1e0855f121977cd3364e7a1290f41ded35cd04464bf38c1e0882d8fd873a4bbb919134f810c5f438be4dd195860d44d5d1089 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | af58cd09c246b6cabc94e9fc90c66eed |
| SHA1 | 0bd8353505b3d3e80ec5651432304ec395a34c74 |
| SHA256 | 08dc56904e8ef4638f94a945e71d577a473ea911fb8bd9d8ffeceb750beb3263 |
| SHA512 | f922f7165c31c5fcb718a6f43872c38052d107249dc3f5500321297119052bce2f2f78821424246d4fca226ba716a97709d76ffdf5bc2dcee6068c5f29bcc901 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | 67ac77d68dafb1946713f2e332e1d4b1 |
| SHA1 | 3cc85e2621df2da7d2f87c07d5203de312651d4e |
| SHA256 | 67bc1910950b904c88250bac704457bc4bf90418b467743e7c265962859beda6 |
| SHA512 | 0d6bb5620b8102c1cc7cf31fda24c0a9092a13553ee231d05f81edab16ccad3cbfa8179ed2205b7a2bdc2ffbdf1c3b4c1d5ef28136dcb530afe4a01624a19d95 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | 1b14c4ab68e8a34bec5ff96d089a643c |
| SHA1 | 835bbc82bf82123bf3fe485b2edcc3de5d7b4d49 |
| SHA256 | 51a6633df8b57ce822176c7dc8953f99561747d4efc9c25572e87eb2b6a34413 |
| SHA512 | 4170e8ebabfe82b63ccea84d18fda211556de4795dee73935381483ce5068e63b91f42019e11d07dea6aa383ba8a63dd7320de7712e1f11ba6e97ab442612992 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | a3c90c880c9625680c82dfce245b52dc |
| SHA1 | c9bbeb8d04eb0cee45d1e512cd0ad306e728706b |
| SHA256 | 4bdf014e2e39dece2239e0d5996918466ab8065bbdbb77dca09bb927e7a35744 |
| SHA512 | 96ccf172b8247e45505f739a1a465b1696f1b853a4ce6b1faa52a97e7a21d4f6a66a2233eaf5783938fdca5117961e4becfb3c7eeebeb154d851907f09684ae7 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | 46ed37357e51540a699220a6df79fc5d |
| SHA1 | d09f7927137000d875186f7f0ce79adb4e3ab3b1 |
| SHA256 | 792fcd033937866de46a641758fd7efadbb292fec15840ace99e0bc1c6a27812 |
| SHA512 | 09b506a3ba9733499a3437d10c2e5c1f372537ca5c736272e6ecfe1dbe28cc44d8081f7f42224db9b6d88416b5141d949cb79bc8a633c9b6b1455de61005b5ac |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
| MD5 | 415b10f5d0181c003eef4924a53e451d |
| SHA1 | e0c60105155b5912e5fc8fec57dd2164b4f150d2 |
| SHA256 | 518e213caa1e2661e4cfcd1a7f147c8db63319336dadf7706320979a02d3922d |
| SHA512 | c7102b4af72c7bba8776ab02c6be57041ef478ab8a0a965aedf645a8d23559ba7410f3404688c1b64b0b2c3e33f3bcdcff8debaaf74e9b3869e9989e8402ce06 |
memory/2148-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2956-44-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2604-47-0x0000000000030000-0x000000000003B000-memory.dmp
memory/2604-46-0x0000000000400000-0x000000000040B000-memory.dmp
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 7825cad99621dd288da81d8d8ae13cf5 |
| SHA1 | f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c |
| SHA256 | 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5 |
| SHA512 | 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4 |
memory/2956-45-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2148-61-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-43-0x0000000000400000-0x0000000000598000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe
| MD5 | 7b4b527e87299f96a5094c09a47a5766 |
| SHA1 | b992a44e6d2b55353c9d1bc546b31223a63864f3 |
| SHA256 | 1d6cb99c74f653f94dccfce32a3a9386e2cc883e79136bd62cc7238d49808c6a |
| SHA512 | e9865754261e665356dcaabfdc6444b2de5440f35eb853cc5a1ae021447c0da555484533e311ada19a423f7677bff65d0fefcd4e2c064b676f3b52364846d9b4 |
memory/2148-33-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-30-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-28-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-27-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-26-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-25-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-24-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-23-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar25BE.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2604-99-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | cf908eba005e7c484d648c69c562434f |
| SHA1 | a19eb554dbf4800a9692bc1eeba13e0d951c6165 |
| SHA256 | 7b419097059036c7c2befe440331e56b5ed1edba811b2445c942d8c7ad5f40f5 |
| SHA512 | f87c12bfe95fa7682a1f61f0e0dc227f84d16b5328c808fd605a8c56fe64793488d2241b22083930367ea79fe24744948a82b4c631e776f347af68b26d931bd5 |
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 283ebab4724046bd89ef19ce0db3b179 |
| SHA1 | 623c174ecd291813152a078c767bcdc6ab18d5b0 |
| SHA256 | da0548940ba94abeb8cd71d1d08b9c7db457826e4dd4c0bc890647e039070adc |
| SHA512 | 024e6c3741a66a77461c76ed9e29fdbaffb7ad64fb77c82685d8d5925b189f4f51fe55f08eda602bd9230d945ca665b20ab13e2a82ab5a10e0fb39c7f5eaa114 |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | 4bd1f7172295b1896bbcbc8f88d28153 |
| SHA1 | 763da94baca744eb3ece854dc4b569d920b3ceba |
| SHA256 | b1a9fd3939af89a044c4857b330573ebbbce6ae6d67ca565ca9cfad9be06ea83 |
| SHA512 | b36be409d9b92262e079e94f36c40a94a5bfeebfd6338e878ccbc0c1abcaf4f664b0676fc25adea6ede225b33959eb51a0712a62f7954a347368c9e7c82d2f2a |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
| MD5 | 56e9d1a9d5d8fde4d8cb2188ecd61292 |
| SHA1 | 222065d9cc9748490258478f29d22ef58464f193 |
| SHA256 | 6ee5bbae539eae44246c9b69ec328f8a741c878ae9d5afeefadcb147e1bc9fc4 |
| SHA512 | 61f00ab2a37c349e7d32fe8965ee3e4a28ccc2cc064a044f652533956ee3677f1ac723d5dc36e5688260917ff58bd989bd3e5d1858669735860d97f1e623b932 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
| MD5 | fa2aaf7580277008ceb9c166b06bcb21 |
| SHA1 | 13f09f859c24a8b01b35f13d6c003bdf2396d912 |
| SHA256 | efe6bf3853c4cdddfe77e134ec0ef29a59f182a95cfe91a91129c00e2b8cfc34 |
| SHA512 | 0e264e7c3a2d0f274d2fd2ea61c36a533f8a851f72958ab00fad768469123dd80a88b9a216c6c1b0ab763986f7ebd9ada7004ff47e2e1598d492a4032b085201 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
| MD5 | b1f07635cd8782a22e706a1f0b6ccea3 |
| SHA1 | 666f464231bf8f37f6477cd5ebd826fbfbc7940d |
| SHA256 | 378597455d54bf75c87075d72dd9cba2f2c7ccf368db7f49acfeb06ff1736b59 |
| SHA512 | 05a34dcac3f8f15433c11f53c2d03f149006de81d34ba78bcb9b3070be6f3157f431fdf129759241a3609be8ac1b198c8d0bd32f4fcf8bc51a5f1f64bbc61d56 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
| MD5 | 1b8d09783864a7b2c55e48dbc18e0889 |
| SHA1 | e3186fb615988011a1cfa11b41b4303e7656e060 |
| SHA256 | ca61fb44e70cf8d8929e0f80f800615c7bfec66c27615114c206b7b9c2de244a |
| SHA512 | 03f4d7e08b5c86c3df46600a8594f960119c435f6ee532d1d027c705c493a8779b4956496af30c60a45712f27ad4122d1a2bfb7036cb74d6a4918027c191a7fa |
memory/1380-98-0x0000000002B40000-0x0000000002B56000-memory.dmp
memory/2148-122-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-121-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-144-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-156-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-160-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\posterBoxBlzJ8eSAGKXPw\02zdBXl47cvzHistory
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Temp\posterBoxBlzJ8eSAGKXPw\D87fZN3R3jFeWeb Data
| MD5 | 69b4e9248982ac94fa6ee1ea6528305f |
| SHA1 | 6fb0e765699dd0597b7a7c35af4b85eead942e5b |
| SHA256 | 53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883 |
| SHA512 | 5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d |
C:\Users\Admin\AppData\Local\Temp\grandUIABlzJ8eSAGKXPw\passwords.txt
| MD5 | 974cc190d5703018c01ce08b904e227b |
| SHA1 | b4f0f2a72907fcf9551846411a7221f60a88f97d |
| SHA256 | 204a93e1274c57f489adb21e0bf56064624582bb3b79fd59ba779ec8a137d8ff |
| SHA512 | 1949cd5ef9ae8ecb93c47e777dd183e758744d5768d024848e462b5416034d7d5cb2a9190d6ac7a2b8151380910ecde4df9396a8e9910b0582015a4923e7103e |
C:\Users\Admin\AppData\Local\Temp\93A8.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2148-216-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\posterBoxBlzJ8eSAGKXPw\Ei8DrAmaYu9KLogin Data
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\posterBoxBlzJ8eSAGKXPw\D87fZN3R3jFeplaces.sqlite
| MD5 | 4a20152560726c963e9c777030638741 |
| SHA1 | 9c633496231903c8a160c4a209ed07be33edf780 |
| SHA256 | 01adf05f70f2f29804b71223067d65de1de51e578a1885fd17448b0e8c1d8c46 |
| SHA512 | 77908a3cf41c2d93b4d9e5776e407d7a3efd86470d48aa117dcb0d130795c49991e92e884402cd0387622007937c50132bca9e67f1e58398cdbdf0a1683e0aa5 |
C:\Users\Admin\AppData\Local\Temp\grandUIABlzJ8eSAGKXPw\information.txt
| MD5 | f23c9dc8654c3834c5c6218bab91b383 |
| SHA1 | 83626fec28a0d677fb6e8c43fd3d8a92b1099099 |
| SHA256 | e6d8da5351fa297a93a2fb7914db4940be5f27f05a42fbe258d1261bb8e4dde9 |
| SHA512 | 313308418c813abfdc798f5d90b65b21dcf6b25a83fbfceea4704c0bb72416e17a2624063fb2b956474087f2cb3c7a149ee11bc4491b69e47b6b4b6c2d031ea7 |
C:\Users\Admin\AppData\Local\Temp\grandUIAvpZ3d8RU59GvF\information.txt
| MD5 | 8c4216393b7b2ed7aa8aac0f0780f59c |
| SHA1 | 413cb9f0c51ce98cb9668b80ad577a93224790f9 |
| SHA256 | 9a02ac3a95bc009fc4e98417d699a440cddf497492816c69d631e7e9c2336d30 |
| SHA512 | 84428640182c9aa00f74ad54368ced689dccb0db8e99e4900a48159979bf22a6d1194c50737462282a35e61e27f6ff6ef090539c6410a85f38783c6026c41b7b |
memory/2148-224-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2148-236-0x0000000000400000-0x0000000000598000-memory.dmp
memory/3044-237-0x0000000000080000-0x00000000000BC000-memory.dmp
memory/3044-242-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/3044-243-0x00000000023F0000-0x0000000002430000-memory.dmp
memory/3044-246-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/3044-247-0x00000000023F0000-0x0000000002430000-memory.dmp
memory/3044-249-0x0000000074B20000-0x000000007520E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:50
Reported
2023-12-11 03:53
Platform
win10v2004-20231130-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
PrivateLoader
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDA9.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4556 set thread context of 4316 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe
"C:\Users\Admin\AppData\Local\Temp\ad49dd256adedfa2be9188ec3f68cb75.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
C:\Users\Admin\AppData\Local\Temp\DDA9.exe
C:\Users\Admin\AppData\Local\Temp\DDA9.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4316 -ip 4316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1896 -ip 1896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
| MD5 | a9f0755518f7b32840de5ee0a96e20e4 |
| SHA1 | df640c0b6c99529a67befc9fae50141e4c176ebb |
| SHA256 | adc0697873fb5f526c9edd475f7b4bfd3556346f7e1cfe2b30dcdf751edff5b4 |
| SHA512 | 8f854804552bd1178aa4820f8be7d1175f83469f20d56526dcad3a81527b10834dee8ab44ecca46d9084a59af79887af9d19c7c7acdf8dbac01df65e74798d78 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yo6PH81.exe
| MD5 | fe02f9d594029578a040194e36aac42e |
| SHA1 | 35d4bb471dd296eb63f16a3d33a525d1d80e3751 |
| SHA256 | c979ce3f2ac49e7aac72b9560ade1e7bce2a251ca950e7810c784c0efd473af3 |
| SHA512 | 1d7911a1e89f756bf5309d6ae71d0cd7e74377954cfca37184c1bdc76a4fafe6af2adb5a032540d1383865cea616a4a46190c524953f2db10394e0459a3e921c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | da245efc1d3dacf6bcbd6194586381df |
| SHA1 | 606441fdf3f90180ac775818fda79e94b3098bd1 |
| SHA256 | c705df974c57573c1c06e0bce751743c69d4bc9b85943db79d271141851898e3 |
| SHA512 | 4f9898b7bd26fd436d3476d85f65b2fa3c7abfc3dbb504ff8e7423f6c36105019f73f702f9e190018b215d6bf052b74547de755f37498201d837741ad7d7e08b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ma25Tt3.exe
| MD5 | 236d44a23132d5328c61a574564f7f65 |
| SHA1 | f668bf15f8fc17c4fe320c619e930b25a959fccd |
| SHA256 | 991fed0de42f9ccf0c683b112033f066f5564ed5de3c5f859d139c6a4353119e |
| SHA512 | c4e81b407923d547b464366f4059b3ccb9ee464fb93d7dc6b2edbd6c283f4715f80e1974919131b4856e6fe46a56def9941fbdc784fa7698a0294d695eeaac42 |
memory/4316-14-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Eo80hP.exe
| MD5 | 7b4b527e87299f96a5094c09a47a5766 |
| SHA1 | b992a44e6d2b55353c9d1bc546b31223a63864f3 |
| SHA256 | 1d6cb99c74f653f94dccfce32a3a9386e2cc883e79136bd62cc7238d49808c6a |
| SHA512 | e9865754261e665356dcaabfdc6444b2de5440f35eb853cc5a1ae021447c0da555484533e311ada19a423f7677bff65d0fefcd4e2c064b676f3b52364846d9b4 |
memory/4316-18-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4964-19-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4316-20-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-22-0x0000000000400000-0x0000000000598000-memory.dmp
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 89d41e1cf478a3d3c2c701a27a5692b2 |
| SHA1 | 691e20583ef80cb9a2fd3258560e7f02481d12fd |
| SHA256 | dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac |
| SHA512 | 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc |
memory/4316-36-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-37-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-38-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-49-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-48-0x0000000000400000-0x0000000000598000-memory.dmp
memory/3096-91-0x0000000002100000-0x0000000002116000-memory.dmp
memory/4964-93-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4316-95-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-96-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-100-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-104-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4316-112-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
| MD5 | 01c41a0bf033d236ab47c68e7a679a00 |
| SHA1 | f235be01f47ea744dcf0093ff9949a389b0b9233 |
| SHA256 | ca44fed61162a2b105a8008278a62aaf8beeb9f5f7af0aae1e302e4e53d9c589 |
| SHA512 | cd29beab1ded21da5c7bbf3dd64c4a1ae4961131a1b6c053b6de3655507a5342f5b218e19c2ba3d39d1e0526a0e520fbde651d6dc9d2465da1d829f092ae4516 |
C:\Users\Admin\AppData\Local\Temp\DDA9.exe
| MD5 | bc8633125b95da56b3f2848e46c5c42b |
| SHA1 | 58a656b05e8f81fb8c372a44e00c2241fcebd1eb |
| SHA256 | f225ef7ea878e9cdefb14c437b082a043ce6e5485d97f07db631b5ad34b8c6ab |
| SHA512 | ba5c999ba3f6d33ce6430c5b2a78bbcb681103f2a0a5ee4aa89a74e67f89c163301f1bdf543569552d00ef1ddb54b4f944a3a277ab0d283256fed93e8ac298f0 |
C:\Users\Admin\AppData\Local\Temp\DDA9.exe
| MD5 | a548c0f704bcad593ac1edcc3c58be97 |
| SHA1 | 29816f6961f665651ee793b63fe739b8916fc6e1 |
| SHA256 | fb4384deac2f3b3f877a47f3f1408de33a46d5d0e71c829c038c02caf9322855 |
| SHA512 | 8bf0cc7fd1720f512551ebcec7a4919626cbb527f549b60e52598d504649fdad943016b0061a78491464eeb953b217e951ffcb40241bd2ec044cdf19083bb40f |
memory/4316-110-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4XL763tv.exe
| MD5 | 85e49c2db208394b773e5531de91654c |
| SHA1 | 2ae85d894740e88548b55bdf43dea7aefbe32d97 |
| SHA256 | efaeb0ddb53a8fa8a3d3a9a09dd4c797a373e4bf8fa9bbbfb0b7ebf211fdb7de |
| SHA512 | fd0a3874d69cbdd7832f8e9bc353a66f1971654dd93488801e12132ea6baeedd90ce2dfc3e3ca222570c9beccf7517b22fcb4035a141fd091d5c59840262ce97 |
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | 2913355ab61d3d2d99326daaee172b01 |
| SHA1 | 133f5f491b893326e14cc599a0bd698b9ec6bb1e |
| SHA256 | 80617539b916161352bf154643233dbbd122ec13dc901b8afe1065168249701c |
| SHA512 | 9b489e56d8d4b2c7e83625f671d6ec8c181c0130c60404e56e00f3fdcb498c5377dcf6c925c1cb3d029205cc91866f6f3126244cb57b357fc8511a7716c9b56a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | 5b751e0edd45029b7729e214ebbd11d1 |
| SHA1 | 9844de49be7703a86bf838fc3b6e218ad2eddd25 |
| SHA256 | 74bbbc49b27467749cfe53a8013bceb557fb3586685cda31e8fd9d463703b473 |
| SHA512 | fe593337b944ab4cc1da1af846e33b84fb970632c5fd6a92eec23c4fbfe1097d4ccdbe15ee23a1a8ce74a5daffd89c1961daf23419e3d305d70a34bc45e8c324 |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | ec3584f3db838942ec3669db02dc908e |
| SHA1 | 8dceb96874d5c6425ebb81bfee587244c89416da |
| SHA256 | 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340 |
| SHA512 | 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e |
memory/4316-133-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grandUIAzR0sLKr2_Yvcf\information.txt
| MD5 | 0973af25e7b27ed2100b105970582fb5 |
| SHA1 | 788b96942cffab9eadaf03cd14cd5f7addd55cc5 |
| SHA256 | 167ed9858dfed42cbd5802de9657d6cc91f8d4e7ec9855fba1b04da05c2c0aa1 |
| SHA512 | 8cd4f4dfce32d47725aefd9f4abc24ef9b47044d8e2a33e44c9a329c4f09cd694dc266e94176514ea27865313ddf2edbe3771da6277a63804805d518f5e8cdc5 |
C:\Users\Admin\AppData\Local\Temp\grandUIA48zYJBIdVIy9P\passwords.txt
| MD5 | d831c7aa1df1fb064c8a59d31c66b5a9 |
| SHA1 | 16df05aa21e553beef97b3ffc9acb530b50b986b |
| SHA256 | f95edc1a06df174c1208684c4d46cb0c6cc423cd15637f8b8dd573a575936982 |
| SHA512 | 9b72a035fc8e2043f49b85ec16a2117f8ac9afd3a2fdd82c6c2c10c582408cfa4f9f373e509a39a9d0a9d6d46c2905018aff0ddcdb845439260660e7c980f93f |
C:\Users\Admin\AppData\Local\Temp\posterBox48zYJBIdVIy9P\UPG2LoPXwc7OHistory
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\posterBox48zYJBIdVIy9P\JX0OQi4nZtiqWeb Data
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\posterBox48zYJBIdVIy9P\02zdBXl47cvzHistory
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Temp\posterBox48zYJBIdVIy9P\D87fZN3R3jFeWeb Data
| MD5 | 5bca7f96843d97e2c39afbb8b5f9865b |
| SHA1 | e64666a5d705a768e2351621577a386400111251 |
| SHA256 | e25c46923271e687a972edfcf511d7685c24ce2e509a5b10d0ba4cd6f2bfeab2 |
| SHA512 | 40771d495b407c0ede8ad3e5d8e77cf588a607426f0597f0c10a81ec7b2614f28a66a1c5ff36bf8bf6905bdc6b537d8cc5a749725adfc57f72ec3c9ee17f76d3 |
C:\Users\Admin\AppData\Local\Temp\posterBox48zYJBIdVIy9P\D87fZN3R3jFeplaces.sqlite
| MD5 | 28ea7ccbbd6f2fb69ec2d7b72e5b94e8 |
| SHA1 | 447681349b11e7cdc05b3c9e35c50f05c2903cb7 |
| SHA256 | 277b8f849113bdc59557b6ae611e3a4c947e1e15d520fb2512162329febc080e |
| SHA512 | a2c859a2ee84293c43f33eab3442d33a9c3a9cc5dcb2da639602b4462db6758c764f77c8e7d56b7c1a73c1e086c3fb1dd9f8c83a34e3a4521a213e5c1384fea9 |
C:\Users\Admin\AppData\Local\Temp\posterBox48zYJBIdVIy9P\Ei8DrAmaYu9KLogin Data
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\grandUIA48zYJBIdVIy9P\information.txt
| MD5 | 0a7361b46f35f035231874bb7619c826 |
| SHA1 | 47c12e8922a2e5ba278818edcc892d287a847955 |
| SHA256 | 439d4b0adb74ae5d912082852261ac5763bd6bd584d4ca24302181a03abac234 |
| SHA512 | 56d5ed2127b49396de2c18840d87b5e8e913f2450ca11e3a05997072c9714bda9c7554155d9a055f4aedabba8125a9aad33868f545fa59847a0f5bba2ae08d5c |
memory/4316-208-0x0000000000400000-0x0000000000598000-memory.dmp