Malware Analysis Report

2025-03-15 05:15

Sample ID 231211-k8fvtscae2
Target bf07127222e7e09de78d4fd32149882b.exe
SHA256 055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
Tags
privateloader redline risepro smokeloader livetraffic backdoor collection discovery infostealer loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1

Threat Level: Known bad

The file bf07127222e7e09de78d4fd32149882b.exe was found to be: Known bad.

Malicious Activity Summary

privateloader redline risepro smokeloader livetraffic backdoor collection discovery infostealer loader persistence spyware stealer trojan

PrivateLoader

RedLine payload

RedLine

SmokeLoader

RisePro

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

outlook_win_path

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 09:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 09:16

Reported

2023-12-11 09:18

Platform

win7-20231130-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1352 set thread context of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2536 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2996 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2536 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 2908 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1352 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\SysWOW64\WerFault.exe
PID 1356 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\D4FB.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe

"C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 276

C:\Users\Admin\AppData\Local\Temp\D4FB.exe

C:\Users\Admin\AppData\Local\Temp\D4FB.exe

Network

Country Destination Domain Proto
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp
RU 77.105.132.87:6731 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

MD5 80bb9be6abda30c47f0c2ab6de2c8382
SHA1 68d3950077850e7473bd8390785cef64ae2481ea
SHA256 d9f6bd982274a4cf10037a2b9d82fc3ec5ff41a0192b95ee4b11276ec078101c
SHA512 ad9ece60edcc79e2f4b68e76d4e9a664d2d2933122f210329f2bacade209b629c9c2d2d7f1c189c0e237f37e777a2d297980dafd111cbded94db2b7e18bb52da

\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

MD5 fc6a5ca450402607a1fef0fa2fffa9a0
SHA1 4db0d878f9f7b90eb9a6a4344e9cf8804a23fa01
SHA256 cc59cc4cfb19737891db87f17299f7fd62f07a31eb18fee792f809233642b5c7
SHA512 54f380a3c80cf4a41800d58a12cdb4c26bfc08c171be5c7eb9d8c690bc8d467750cc625945dc9cd4f996c47d1e74600bb3f3c0f9d2b79bc079f66fc55bd97b5b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

MD5 7f79f4dd1fb063aab8fa9b9d9d57d014
SHA1 2ab457ec8c91fdd2caffe868be69868d3d1f59a5
SHA256 a6a6c4b2f7e2382ae32f35b00d553d5961674a0a59dc2b627f642814563803f6
SHA512 2ecb6b86f609ba680ce8cef66ae66283e89271556b09821dcc633cd89bfc514cb15b6f8c42adaaa1c516ae55bced15a973183fff5ae283d72f3239f95df6fe15

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

MD5 c0ec4bee2759628128e34dabc59f7270
SHA1 72f73b612dab4ee56a2a1fbab919d25db303720e
SHA256 5f5534bbb6f63310c3695f1e4fea68e0cf35e097a69ee3607738e4ea808c6aa2
SHA512 c13eef30f3a9fea43da89dbca482c477adadaff8d72fd302df62c84326bca271b3acb8c4fd66f9989ec087d2b492744015b211b57ca06212217235ab2afb3eae

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

MD5 22f5ec0c4bd12f7925edb3d114da15c8
SHA1 ae54f63513e49a9f3b697d6733c9470cecd7330c
SHA256 9b1a7811d563b47311625a3db529a8bbf56ac8429521dd625aa79a9e7863399f
SHA512 f8b53f283c0b775e16673afb846e0b35dde5d4f3e0a2562e73446ff0f6b6082fe36ea5ede2aaa2da6a20d280a245cafc8c83a706b38f2b65243dbf562ed76f05

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

MD5 936d958782b0f9ac8ff0896f8d85d040
SHA1 329bc6c3e491281382e33d22fc48cc07a56c8391
SHA256 1cad510afa8b4a4fdc7102333ce1544538bf93577a0c0eb1e928ebb05d67ec3e
SHA512 4836a8b133e49f8baf2749644a5da642ac012dbb49f0df370a7c5a4fbae42d876559ffc5485daa0c368ea695aba1ed341eb2026cd1991e3183197e1a6f520c62

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

MD5 0a95260d2e993962cba05a1487caed54
SHA1 798c8358f0148d0e130081ea8135350704622387
SHA256 8ab4935efc6a79a59fead73609fa0f065a6a8170be1efd19dbddd69e250de403
SHA512 a0ca86752d018c5518e22f0ada61b4b51c1b864ed4756cc07f773f97e777204d3cdc19bfe202c02d4be577bf1a71113575a5f20edc33056b57705070b5ddd45e

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 e041e63b53274c27d31118cff06c336e
SHA1 57321af67d25ea0628d9bf4dcdfb2b8d0f69bd0f
SHA256 d623d8fd48d514f527c8fc00adc96fd3fd9956e3b8f3b62552ed9986c64aa74a
SHA512 3e794aa585bf7d1cee08d014ff8380c47f4353efe2b7aa3167af737f069aed1ea78e00c414ae6f6178773607a96e8bb2251f97e1f8e7deac09db6f0b5f1b9a58

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

MD5 87b8c994606ba0d8f8af76187adf90ba
SHA1 b8baa84db8224102d2a8c47356d2b7c30a29ebb6
SHA256 18cc6adae252bf73442f002a7c556ea9933aee25c40455e5717827312b5c1d6b
SHA512 7e9324e4f8d95f6e636285c9454f339812d27465e655f0353511b2b8b172b4a6b581c4a8e318aac4e83820e2c1e933f84a4e5eb6f53e6e4aeca8ba5f766136ca

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 d9343863eceb39bb0e18bf04593ef7a0
SHA1 f70bef82fb102309d1ff45aa03453981bd6c585d
SHA256 f5146fc514adb64e434a15de3d8a3f5acff4c8fd5e108c26876414a802fa5342
SHA512 70d767419caedb6d73a338f6fa41b08013bfb390ee11c7406e6b4a13fc6fa6acc47bf24e158bdca4501a24cc39a20e0266cf85494a0da389f588d76c43018e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar300B.tmp

MD5 a28bc49f86e41536ddfe67a68d69d7b2
SHA1 c14630864a727dde71ae5c58107af19b4f5f6ac9
SHA256 a884cdc37c60bf88733104dc62355b525f136fe3413535575a73555b3db178b8
SHA512 d68279f44aa927ee2835df2831ab721835eac7309c2c8c72061578273db6024c774a83db6f0b5248995e4ff426cc9f7df8dcf6144817f06e42f1c52dfe087262

C:\Users\Admin\AppData\Local\Temp\grandUIAxsAGOnQKR0sNt\information.txt

MD5 1ee4fc1d8d3255d4d1c38a5f64048fe4
SHA1 82408de1860f7abf75da243ae596942c801e6521
SHA256 4ce44641b883a4e3f3a92a81a67f6628a2856c9ae6399050544c62a73a9eae9e
SHA512 e81fc68b710d6a656eee08239dfe25b0f67e4fc1e3ff9a6851431b29a99a342b560e13f5a3263f2099eadf3034e93f781e792a7780a48a71c586c6c4d0feb171

\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe

MD5 284868406d6bbc0bf89325b311c325ce
SHA1 eec0e1b6bd29fd60bb980186969d04392fe0a3ca
SHA256 fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
SHA512 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30

memory/1192-127-0x0000000000020000-0x000000000002B000-memory.dmp

memory/1192-126-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2536-123-0x0000000000100000-0x000000000010B000-memory.dmp

memory/2536-122-0x0000000000100000-0x000000000010B000-memory.dmp

memory/1356-128-0x0000000003240000-0x0000000003256000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 12bee381342491880efa594723cfea87
SHA1 e455023d43a018a5c005a9930553f45a2efa36bb
SHA256 a4f881b760c0dac85c37be74c58a1921b69332057df7ef172348884130d9e536
SHA512 b390840fdeaf601f4cf238c1d9b118d26b0c6875f044e20cc8c03cc93498d8e24533b4195ccb04278f84ba709e29c4ca50a673810ebf22feb87d2990d5d7dffc

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 536e72b901221b686e7d3144df498e55
SHA1 e349ac760baa935aa7ab68303c72a59225bf400b
SHA256 d4d44d80356e5d407a4eb20be6e730205d174ebf364a34cb83c9dabc257916ee
SHA512 64713663b57a16e42ad12f19e255f8c034dff819e70bef0579087d02b9582908532d145e92b179bee3dfaa234b92a9173a0442e4c958703f65b97c7ea80cf90a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 24dadd97268579d7cd971ab90acee811
SHA1 0d234a3ea542f65dcbc6f969e0ca8e327a9c9881
SHA256 576a60869f541ebcc3625963d54e51855cd9507d7273a47ddb5cf2ad3fa40882
SHA512 7608724b287ca341bc077f74b3cefa08061ce173f3c582e42c7bab231781d2e2972a194583a00a4089dcf7123b4881b0b2bf064f1178ccad7e965d0ccbf699e3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 06d612130862f1c9afa829c791a11c0a
SHA1 9ded415599320f2bab7b916ea498b3f68214bcd4
SHA256 25254bf2dcc6f5c0c3dc5588cf0958b5f64f7896ba11e3fdeaf16008f64b1574
SHA512 a43a2f8ff10b40dc3835d54788252c1306bba5b0d081265e521b5cc6689823f4ad7882628c59687d9ff0d2db55c372f62049f5a36f4472fb64035f685c714ef5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 c5271da06a2eb452d820f1c7cd2aa258
SHA1 a20b1d5d27669e9862f54a8f6168ef4975a4c226
SHA256 7dcbd545e021ac4ee379a8a2627d3d2b8f552a42e3a09af0e66f0917222fc754
SHA512 344d5c11495fca5433c795c8055f777780a417c20b1fc44d46a385917d942be400ea205a58431db09efa551e36726658b90344e529b0a37de8b9b13e14b5cbec

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 e1a21cf48d309e3a9bc3a9b801a0e73f
SHA1 118a589f358aec81a92a26eb34e09c250f5ef1d4
SHA256 3a3c64fbf2920cc32452e1d0ebd2d0db196dee63446359fa6afeeaa54466b55c
SHA512 4416c987ff820d04582db5d5900697ae7ba0aab3c31b2869f60dbca0c5cba062c9e4e91a384171f3ca9e9b91d7d22d0863a3b6b6c527fa69c4c28ae6594895ce

memory/1192-129-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2768-142-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-147-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 231fbe34fc1c659b7a10c109b183c263
SHA1 9ec77a8ceef16c828d611a3c1b9704b33b995905
SHA256 a71574e531876f4ca8c1deef4b1d618362a46b16bb562c87f020c057d4459aa7
SHA512 12b28a11263ebe6c7f343621d98ba6586578114993e264dc347eed7232d157c27f1a520700da3de7944a4937226ea8ea9ffcec73da3a6767bf61d0ab63f95ef6

memory/2768-168-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 2797f85570ce616ceb04cb48c7f04bb5
SHA1 f53998fe00fd1e95060cf3fc44475be64b55ad05
SHA256 546d70eb5f76fc81786972bb3b7a3abc26312b980f9600881bfdc9db866eeb80
SHA512 91bb790e74da1f7cc9b22f526d31ee4ea6665164076f4a549e3c48b4dab99a34cb1df303be7f2975903e960c5251f72a32b4a28dbd38e906724c2c7769b3f7df

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 6a4caca2982d520962234c43354e353e
SHA1 12a661010b8e68768455ec54961f0f1be8409617
SHA256 b028b664d06993985e90d044ca7b1983e46ee34ced78a33e14cb6afe3a06c8d4
SHA512 b08993502243efb13f7207ea89c95ab305f9048961435f1a29bb551fe04e34e614505d57800df9d60fd5281ef349790ae5cf241a6deb5b6c222974f59a3bf8a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 3f8f74e2b2943fe30d1d6cf8efb64c77
SHA1 ba0251929ad312e21bd5fb4e9fc4622724edee12
SHA256 970677ac1118f64e219e8d73ff1d02fc1113cab5abe9f1546d2f2ed5115cf411
SHA512 e7f14b8682d9122ae160447c01ee4d535f768a51eaba8db5a9f76afe84ae7bfae6db76ea9e1762dd47ab563a22ba7db5ee68b8cce93c56fae9d6b5bece120929

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 a1a0973c132169cf54bec9a2fb3dabe4
SHA1 5bae0534bf89e039eaa01291afcece00bb8f4656
SHA256 23e87e23bfd77865963f3b86538639c3d6d9a5b8dd0a5001019e98d8ed7ba87f
SHA512 2e6a5172202dfd27d96b595781a934a743ac32d6571de6df0d75c175e6bef4f9c1063ee5a49c6609619097be49b4e3b3f463282e83fcbfef39274050513f9378

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 b0dfc0b848413fe036c6807b7807a3a3
SHA1 67d6fac572d80d8f9d1a4086c598b25c230331bc
SHA256 4f14aa67ca87c7a82ea1b3be7d07b7fe79b1289880c574419d5c41e41fa6428e
SHA512 55a9719f335a8bfd722356cd4f59f96959881bf1b1652dac758d3f3884c5e9d502d2bf95424ee47dda13497c80db3b03913dff9c0c787876fbdd8accec113124

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 5f518876a92173f2a040ae7e4d759eae
SHA1 f0b11e9867461036be9db4cfde2a68e627ad8c0e
SHA256 b3ee5c3d00f6fbe2b7752ae3a0c25d8f636d7d2af6cf309a6f8c0ad67b63ecea
SHA512 ae0cef597739026556f4351f1bd5217d3a385d4e763a9a5233be441fdb8ee11fcd95fdad00f12685535ad95a5542b01645c71d14675f96d373df6525316de1ac

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 423229ea05902d5ae1addf35daacb22e
SHA1 3005b065465ab4c953c2578de230375397de36b5
SHA256 7ad5bfdc6ff4bba6054773e0fadc76893589ad523445641e3e8c09f2f694d349
SHA512 c1d3ede7713bbd654ce37900afb4dc4cfafa908141c1f1649aa8d558a94a885001b2ff525dd456ee55620cebe491e4b51b6ae2ff10ae639a13708adb05d3aa71

memory/2768-152-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-150-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-148-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-146-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-145-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-144-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-143-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-141-0x0000000000400000-0x0000000000598000-memory.dmp

memory/2768-170-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D4FB.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2304-175-0x00000000007A0000-0x00000000007DC000-memory.dmp

memory/2304-180-0x00000000730E0000-0x00000000737CE000-memory.dmp

memory/2304-181-0x00000000074D0000-0x0000000007510000-memory.dmp

memory/2304-184-0x00000000730E0000-0x00000000737CE000-memory.dmp

memory/2304-185-0x00000000074D0000-0x0000000007510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 09:16

Reported

2023-12-11 09:18

Platform

win10v2004-20231130-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4120 set thread context of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 1884 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 1884 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
PID 3620 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 3620 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 3620 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
PID 3764 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe C:\Windows\SysWOW64\schtasks.exe
PID 3620 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 3620 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 3620 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
PID 1884 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 1884 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 1884 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3436 wrote to memory of 1768 N/A N/A C:\Users\Admin\AppData\Local\Temp\2342.exe
PID 3436 wrote to memory of 1768 N/A N/A C:\Users\Admin\AppData\Local\Temp\2342.exe
PID 3436 wrote to memory of 1768 N/A N/A C:\Users\Admin\AppData\Local\Temp\2342.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe

"C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1864

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 596

C:\Users\Admin\AppData\Local\Temp\2342.exe

C:\Users\Admin\AppData\Local\Temp\2342.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
RU 77.105.132.87:6731 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

MD5 ae24ccfd84a7b22eeaeba3a423c9e360
SHA1 7c5f0f5778b1c543eaffa60cf11a36200cde2371
SHA256 f5555f227b7330bbc6af8dfb3ed07ff7ef865b41c44f19995d7d772a68fe00ea
SHA512 8cc58a32ee973b1110f6ce8e35d19607fc4882e7e60348883fb205a76510be6805ab552ad6f2aa849bb72e51cb7a7a8a00320d6628b5f5c2f526d6a16fc06ce4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe

MD5 5a9437533c002143895f93f1c6afdd25
SHA1 900ba7e8497db384197b91aef9043c2d2333b366
SHA256 a931d2ae0a6709d0dae7edd1b6b48a8b971cb542f5b85f11fed53cb61410ca4e
SHA512 7d1932dae4160183715655cc57b42c7eab72a841990848e9e471ab89bbc6ab274a3c722a5fe49173fcb7bd8b7084ef168504b663ee80557114e65046d0ca5509

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

MD5 b8204313299233c571076878bb1a0b49
SHA1 b629671f39e667de51cf3d853745a7b3db2186c4
SHA256 d77f815c9e1eade0cd4aa6c45fec45b2072339f065b811ae7dce945665cdfbd2
SHA512 16f104a9dbfc5e7375e1fed5d9709c9f281e9a898d121428e252eb9c8884c8cb2426fc0d0a3a960e77c546cc4da7ac8f5a8188dc6dd399b6bf54b98b8398d44b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe

MD5 01ed22aa5f00bbde33b96500aabf76f2
SHA1 9eca23056463faa3f2df2b5915671cf7dfaeebb2
SHA256 c8c20287e01dda81514d51eb76573247094573481528b4fc9db5ec22fad094b5
SHA512 17b153f6fe3bbe888d113dc273789ba2a44c76e9cf91355dead19345d40e373d237c4c4edba1675a9e3dc0787d7fbd11a5f80a8bcab5bdf61d9cb155cc600d92

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 925f967aa6e6ec13c26aad3b05e3e66a
SHA1 ee228016f19b6a7cedc39a1d70d4b3077edcde3b
SHA256 e210d25a4a6e67b078781473371a469cfd5a8de25850da058aa6c717bf8a4a91
SHA512 2d93c6497152bb5247bff9e9bf0cd6726cea5d760069eb7d523fcd220066370e7f1274f8c27498dcc3e8bc8edd6d9ab52d8a633ae7a9832a785db33447d007c4

C:\Users\Admin\AppData\Local\Temp\grandUIA0Lj688hsPPW5_\information.txt

MD5 b0881627b63b0f67d0b09e857bed1a9d
SHA1 54de4b43b4924cb5d59dd1a2860b4c909356e3be
SHA256 241a4f73b2a215c1ba5814ea9c1ef2cd053aeb08ea7c005c1e2a1d177aa3c3d3
SHA512 a2527cf88b4c8cf7472f9ff05096723026e1145312e01c3ce36a9c604021a5551668baa33cc13fcd6547c8614fc30430e5d46a69fde559db6aad070f62abaa63

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe

MD5 284868406d6bbc0bf89325b311c325ce
SHA1 eec0e1b6bd29fd60bb980186969d04392fe0a3ca
SHA256 fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0
SHA512 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30

memory/3448-93-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3436-94-0x0000000002CF0000-0x0000000002D06000-memory.dmp

memory/3448-96-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 c483b3039ec03e5b3627332c3492c334
SHA1 0298b2014841b33cf6655edd15a9c4311722d873
SHA256 11b0cd40698847f2fa90320e7a1270ba844447b382c3d909956698da8ecab550
SHA512 01c832dfdb19c8537173cae55d3a7cbff3becad5a74c2f7a2fc9002aafa79a3e21bff12f0549159534aab75facffa1c04b6829c35ba7d4e841b960d103e6e573

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe

MD5 5118cb26de2566fc2be8d7c7c24dfae7
SHA1 c2935ecf06fd9915a634f74f7955a8812185afc4
SHA256 0140d772d8766e8a1fdcb7b2a0d9269e821487e92b7b6fd93e4d1f2eba40a622
SHA512 fe1a545378a191eac7ba472bb8ff9fb28b2a1fb331f825cc29e4a5e6133dfac262cf1b32c60d39d0dffa3540fec7bc565a0a0ee860dd9288afcabae5625020ee

memory/4628-103-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4628-105-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4628-119-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 09b280670e7657d6f4277c02d9e152a6
SHA1 b6fab6f0186670122e2ece961ae3bdd115366dcf
SHA256 f6316b23a391a4a9fb70f191f8d76b319b76880c3c98d6c3e58aec07f4e93087
SHA512 a49a65bb8e5f1755c61da82d1b281d68e6a770e55c232e1ca757ce3b74d3bd1473f456c35625a6e134b3ec9753e28ce2f23c24cf3d8f82f89b3e0ff9f7909867

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

MD5 f5a209e11a3c4279aaa9ab27d68eaa01
SHA1 4721e00de2ce10d57ce52a95b847bdcc84519694
SHA256 9aed9918a3c3292671ef82dba54c48f50745281335ec35f35973e2a0a42c08d8
SHA512 7551076b56c731e932146ad407724d0581b537bfef11a00774011188349704294bf8e2914bd15917c3c085251296a912fc59037a801e4d275be10a9664b4c78e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 f1cd8f36a20713cbba192a8fa289cf12
SHA1 ed0d5926fede44fb1057b085fea51640604677a5
SHA256 e16a25979a5cdca67980dce043552aae84e3c3c7ab72dd129d02444ce3a73577
SHA512 3fb91c8bf8b708398c59c1e685be3d862b797a1a5eb004479b005a88a0f56c3868857f3b2643f06fa56b9ff70362b5cfa13b9ad597eff046025168aad500f06d

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 5c55fb4358fb4996a4059491af29867d
SHA1 a85fbcfa939658c33b81e1a9622728bb50a0697e
SHA256 df338aff65c814e7c25db148da5f78008f2f3930da6af8b14f935bcb235e025c
SHA512 16d51866be3265298d0de72186e84fd20e18a1f19fc69b3f882fdc6d87f7daba81f54270bce054faa67b94524477904bc48dca3253606dc5d6263293e8b25186

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 1eb2007265da890dd7b8dbfa5c03f56e
SHA1 9673bf216559e1af53ff6a275e99ac42086bd750
SHA256 9ee802d80ba7430ed8d8e7bc6ecc11e1a4909f9a35340ec824fb658cdb6d55c1
SHA512 3d7d667f927bfad56393c16b5c5f7a61a38af4eb90dd8add8011c86178418c9b4c1b8bfdfb896ceb93092ddcc167521cf650aff466b0c8ac8b4e3f8706c778f2

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/4628-102-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4628-101-0x0000000000400000-0x0000000000598000-memory.dmp

memory/4628-120-0x0000000000400000-0x0000000000598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2342.exe

MD5 de1f6706aee0fe3d936d8212ad71bca8
SHA1 95a72550dc16f2ec60ab2d2a20c29b02fddc8f8a
SHA256 682c17e1c89f6ae8e392e6985ac70685f33b89deec459947655cf82589ab5a8a
SHA512 21e74b76bb8de6ad075fe56322ec512fdc38e0b79e988783d913178b58b078b1a1a9c97dacd1d7246d4d40fb6067343d58d62d2d38f96829aad2042a81505d52

C:\Users\Admin\AppData\Local\Temp\2342.exe

MD5 fe322d72d71f6de6c522f87b26c3f715
SHA1 55a4cfc867ef125857bbea0d5a33c605597c95d1
SHA256 9167973d38ded87a93ef5582d7cf37374c88f9094e8a2b582c3434e2bfd2a190
SHA512 48655b6f3080efd1dde1308ef6825f5a54c12612d3eaf4269eaca842cce3a0b55236c06fe2831666ed0bb3e20924a279f82ef6473afcac0c5763f359f6ad4502

memory/1768-125-0x0000000000F60000-0x0000000000F9C000-memory.dmp

memory/1768-130-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/1768-132-0x0000000007C20000-0x0000000007CB2000-memory.dmp

memory/1768-131-0x0000000008130000-0x00000000086D4000-memory.dmp

memory/1768-133-0x0000000007E00000-0x0000000007E10000-memory.dmp

memory/1768-134-0x0000000007C10000-0x0000000007C1A000-memory.dmp

memory/1768-135-0x0000000009110000-0x0000000009728000-memory.dmp

memory/1768-138-0x000000000A9F0000-0x000000000AA2C000-memory.dmp

memory/1768-137-0x000000000A990000-0x000000000A9A2000-memory.dmp

memory/1768-136-0x000000000AAA0000-0x000000000ABAA000-memory.dmp

memory/1768-139-0x000000000AA30000-0x000000000AA7C000-memory.dmp