Analysis Overview
SHA256
0f74f42b2f2dd26b739f00ed44597289426e5aa0ee35ffe26e97cc4ca410870f
Threat Level: Known bad
The file 0fe1fde963a595f0c707fb9fa7676636.exe was found to be: Known bad.
Malicious Activity Summary
RisePro
ZGRat
RedLine
SmokeLoader
Detect ZGRat V1
RedLine payload
PrivateLoader
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of local email clients
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
Runs net.exe
Modifies system certificate store
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 18:50
Reported
2023-12-11 18:53
Platform
win7-20231023-en
Max time kernel
60s
Max time network
89s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
ZGRat
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4D5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FFD3.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0fe1fde963a595f0c707fb9fa7676636.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1692 set thread context of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0fe1fde963a595f0c707fb9fa7676636.exe
"C:\Users\Admin\AppData\Local\Temp\0fe1fde963a595f0c707fb9fa7676636.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\C4D5.exe
C:\Users\Admin\AppData\Local\Temp\C4D5.exe
C:\Users\Admin\AppData\Local\Temp\FFD3.exe
C:\Users\Admin\AppData\Local\Temp\FFD3.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-RE8B3.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RE8B3.tmp\tuc3.tmp" /SL5="$A0116,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211185132.log C:\Windows\Logs\CBS\CbsPersist_20231211185132.cab
C:\Users\Admin\AppData\Local\Temp\231C.exe
C:\Users\Admin\AppData\Local\Temp\231C.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\2520.exe
C:\Users\Admin\AppData\Local\Temp\2520.exe
C:\Users\Admin\AppData\Local\Temp\2DC8.exe
C:\Users\Admin\AppData\Local\Temp\2DC8.exe
Network
| Country | Destination | Domain | Proto |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
| MD5 | 60e90f17963efc1e4704068c2bea3525 |
| SHA1 | 59f9df9d87305d10a9127a31a0970672dcdedcda |
| SHA256 | 68e920a8f465c71a94b86bc7430c486bf2c804bb4e37873449afd7df7c6358af |
| SHA512 | 1298c5aec2cdeef7214227fa3fd4b521cf642aa72ad9f61af29d1be5060aa36352142855579f27ff43f87fcf554125a23a8383d1401f5b7e150d46480a9ac94b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
| MD5 | cf7bf0afb1f188714c4f5716059cca8d |
| SHA1 | 6dfe2203adb9291a24c539746c9d4f99e0636831 |
| SHA256 | 888ce1f415fa7ae6ed70c7b0cfdc2c749ea65526858349df26ab689e20cc2cc4 |
| SHA512 | dc1923b35a77f42ba6f2f76f635cbb65102aaeef40e07af981a4ac850b89180a0e4d8fba73b09d3129dd11e11b9dde6152e76e148a2e9ced96cd43eaf5d85776 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
| MD5 | d67e5395d8afb05822efe5dbb8b7467b |
| SHA1 | b2620ecfeeb9b7ff6567273350f0532da9c6cd69 |
| SHA256 | 5616ae5dba48a633da6eecb4e6cb1661c2a3db06d01627723ba415d6526d4f1b |
| SHA512 | a25786a84225e606f54b505096928667a71c38e8d4cb61b4e47ce2ae05d9f9ef65ba576fb020712094c748961e74c2a25faa87361a9e4289328baba0874e5b26 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
| MD5 | e099f624cc55875d3e02ec488dd60b87 |
| SHA1 | e8412764acbc65a5bd7b7e0a2c6c94f797a21021 |
| SHA256 | 752445ad54fcaf4db690eac8fda506fc3813506a52943c368900d1f17ddbdd7c |
| SHA512 | f1c251eb9426e022901ea531b3aaa9dc2cc7fea0da2122e3fdcb079923570637ae0f95b0e55065ce112827075f21d153eba695ee8d22aa38d73c763aa5001f94 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
| MD5 | bb259593d9c047ac6c8780fd715c3c0c |
| SHA1 | a9aafae3b9eee3f95b00c7969e32414f5e67907a |
| SHA256 | b8ff4f4e97887d5579cd76352566685f472fb76b907bd356b31b2a1c4e78ab26 |
| SHA512 | d6e8ea9adfdad10f012ebda7e2cd1ea2288f7a1752c74702a9b3a7bcd6ca2ad60cada8970e3ba0d2c5f0223a1ae8a530d1538b0ce02d5e2c3e47d35d5ebc1a04 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
| MD5 | 475b6a7249cbe24583048b0fd9541ef2 |
| SHA1 | 9ee8bdceed9eee68f1f5c3b60e4cde7f91fd405a |
| SHA256 | e34462ab871a8d101dbbffe7961fc5f9c957ddf0472acedd7711eadea4189cc2 |
| SHA512 | 5e9c62ec42cdb168c790d83f98902817bc1d6365396ec1cc67172cfbff910b4d7333110061d8c0219143ebfceeca0d5ab288acd492f7a596cba03c14d79953a8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
| MD5 | e03bb6d523d1da4d52b5868fb4e2e941 |
| SHA1 | 6670ef0e07aac304c837da07a66f06eeb8d252db |
| SHA256 | 42b08eb4a1e2a48d553e7a20a032ca5a240d81dd5ca5d0c33d06f738542a82f4 |
| SHA512 | a65385ba92c5e1bc49a7e226d257a18082b00fa523bf4fc1102e01062f0a8ccc010ed2707b70d29a2ea011882acb9310b2ff75dada08ad5bb37f3955e466d99f |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
| MD5 | a5d84844c8e71b759abd213f79341393 |
| SHA1 | fee465b368c470d50a60ea6c52c724b068576912 |
| SHA256 | 1d1e081abe43e16954958d50eaaf575beec28fd2f284a803ded073d13fa976c2 |
| SHA512 | 448ca426056273942d1676d74f8221847540c1a9af0e61c0e596ae5f78b1dfee64cca71b3f11d106188abf2d14ab6dcc83e3c24b6ec535ca15ab2faa238a6990 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 128e2833720f29846477cf38d9a0fe9f |
| SHA1 | 7afb52ec21cee675bbbbccab2c821df8de6be5bc |
| SHA256 | 6cd1a412766d85fc801d57754b10eb9092dd5441a7e7c5828ffb2a98640cf490 |
| SHA512 | 63b73bff9608effd48340fc0930923d21a70cd2614bd64beb1ee4876af5f9b16a6ff9240a727ebffb0f1f120c61e8d5620f82338ab827337960dd11b8c6750d6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | ea13f819aff6d729c954cb803424b423 |
| SHA1 | 19433fb1cd348a7a205fc42e64ff0fc9c95264cb |
| SHA256 | 14a454a285d38e7ac699c354a34754780ef2d56cddb6d49ef2b1d627b97b7c87 |
| SHA512 | 049acd6b02233248fb32009cdbe508b3df9e1d5e87c23ba0a5553240017fc24dfd2ecf979aefb7a2f98cd176ad1b301ac79bc60ff1445b0f9de75f4f2b9e6655 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 5a89263fa1e3627fb2adfd7766c2b29d |
| SHA1 | b97bbae0832644799b9aeb9bf47c97e2f0a76db6 |
| SHA256 | 6099361a30b30e85b7ef6e784480f48222d10f4e60d5959e48c4ddbaf7a31aeb |
| SHA512 | c6b8c7e4aa5b9d31afcf6c4099ff7808053b46078f31bf4ddb1e7197219627c383dd1bcadf6cceab8fc30001a6220329f93daa135050f4c33f45ca5c60430a39 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 2322970a0d2813f797a88333e9cabd09 |
| SHA1 | 1c99b7f782d5ad2d1fd02cdb4a5aed0703124ea8 |
| SHA256 | 285b44a84c46ea3632a320e90c4722dc94a1db6730aafff6e8810a9de669dcbe |
| SHA512 | 8cd7bcd90eba64bbc086da0a9fca1648773569359cb855f38ff61edc6a5de022bf8f4bc0891142950825adc9c7e8983e93afcbd9d43199bd09140a5e18a6ee83 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 9255dd73fd6681e3a7aa69f33b43c4b1 |
| SHA1 | a07100aba5bb89ae20e3a84be029c1faabf3f391 |
| SHA256 | 30175b48f50727034eabd7595c5cf1b68cac78036a79e9afcdaa73176e9469ed |
| SHA512 | ac336959af2c6891f00fe5d48da3073e5f3236319086c05ea45e662dd67691136224af8dc6a5fa2b4013ad25ff4b24a80732f4e63b155370cb4781ed8983b5f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 4c77cb4af4d9b4bc4d2cdd7fe5502a5a |
| SHA1 | 208f5d06772700236f0c5d739c852223269b2d91 |
| SHA256 | 8d7b9fbe4f262f83bc3895334a7ad3fa10a9ddf094c3808ab93b492b5794a75d |
| SHA512 | 8e5daec76decf1ce490acc8def78492147a69a7e9d5116ca99c120e1c40759954040561ed6cb58b12c789a9f02e37e6a9a0af5df6edcdaac9ae01e9315b3d547 |
memory/2792-33-0x0000000001030000-0x00000000010FB000-memory.dmp
memory/2792-34-0x0000000001030000-0x00000000010FB000-memory.dmp
memory/2792-35-0x0000000002550000-0x00000000026E5000-memory.dmp
memory/2792-38-0x0000000000400000-0x0000000000912000-memory.dmp
\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 9442c57e178f445506dd311fc03dddef |
| SHA1 | 4d758d40a423527686371d18a9d44ab507162751 |
| SHA256 | bc10935b1ef9811faaf30a5142535a4097fa379f13147b545821cf202131a0de |
| SHA512 | 9b22bbe45506922743fbff202ba7869c49bcbbe7d70f0523e6a08b7d27b9363f297918f02e75ecb65bbac2d625e7cbf552936d012b5a8e225f2b59fa0282ee46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar5ECA.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\grandUIAAqh9LYtmX0tDF\information.txt
| MD5 | cb658ae61f87722fc8f45fd73861b7d2 |
| SHA1 | 636e02af534a1da7faa8157c423a88f7256cb57a |
| SHA256 | 81044dc752b4feb88a4f70504f4064510d02a5e104e657f53c559e02db2d6249 |
| SHA512 | 3810b2006234e1cb722486871597232ca36a40fbc362db85e19857e9c646ae45010859394509987d7c06ff2bc6e796716c53bca9886afedf6fca626ff25de876 |
memory/2792-133-0x0000000000400000-0x0000000000912000-memory.dmp
memory/2792-134-0x0000000002550000-0x00000000026E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe
| MD5 | 879edc58e82cb359f513ee62a0bafdce |
| SHA1 | 0f500ae8484d39a46c8dd65923999a41cd405479 |
| SHA256 | 8efed3b792accd764dc37407da33d7b5600129edbedaa956e6bba34d06d3e1f0 |
| SHA512 | d064c925acc4bbaece66b4d85401c67277247d13a91452b5d8f4735287488c6c6ac5719b0ad4fa3956958bfec797c2e3dba1fe64b289df21fe0644bdb99ada99 |
memory/580-147-0x0000000000020000-0x000000000002B000-memory.dmp
memory/580-146-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2624-145-0x00000000001C0000-0x00000000001CB000-memory.dmp
memory/2624-144-0x00000000001C0000-0x00000000001CB000-memory.dmp
memory/580-149-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1392-148-0x0000000002A20000-0x0000000002A36000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
| MD5 | 99cddd958bf77c8a3ab136c93d031b67 |
| SHA1 | 5ad5983677836f0939cbccb97c09cd24abff3452 |
| SHA256 | 9b8e92e5a3acd4dc6e9af2a3ed380c85292867dd25b40b783518954f03873524 |
| SHA512 | 143a5d0b420735efc908e8d0e5b09d0e315368c4a54d1c878c71c2c1a16a00eefb4451b8a6285765a1addc7e4525d8884e5d9013eebc13a96b319dca9645fbf3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
| MD5 | 07d7836280dbcc3563012970040addd9 |
| SHA1 | f12366fbf619eb3112d6107ad0eb8b7a660a52fd |
| SHA256 | f79c961e69e4a082ce5ea9b3d714a181f7141fc3aab1356f4cc932282ab5f636 |
| SHA512 | 2feb6b3e653be1c14eed3c4f6dc856dd54d8bcbb796e6e6d297d7dc716834369bad446897b191ce5d857d9b38aa9a16ce2d11e5d14e2012c7c7e435266b38052 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
| MD5 | 29a0cc9ee86155ffd6df29dc1d790fb8 |
| SHA1 | 76dc224b18ac59d1663638703414ebe462a18cee |
| SHA256 | 00c4a66ec0a19bec6c3e0e9126041d787f79ccb995da2861e056b7c45b6ddfde |
| SHA512 | b765e8f03a7ecfda289464255d2d6bb89f6a0ef8440dacbd04ca422a2c8850d13864b5f12dba8e830482065ebda949dc7702e9821f6c2cc11f3eb0db3451dc53 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
| MD5 | f11bfad821d4a65f4df7be1df41beb49 |
| SHA1 | f72088e8b8398a9f7ace49184a2d66cea9799843 |
| SHA256 | bd40ac40da88a7e5694a4300231e175247a48baa813cd4a6307a10fc1a079cd9 |
| SHA512 | 95fd4551f4f0006bbe354b42e65a1c6e340f9cbf56d9263b2ebf1620213c1d115a1b0b400c3274e083e0dbfd92508cb7196f9f6f7b8f412c9c8f054bd50760ab |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | 803fd805316bb6c99252e37f7652e803 |
| SHA1 | 1d6843687676f7349d47dd7f190d03e5536819e0 |
| SHA256 | 57fcd3d8ddbd8286cbb90bd055a1095a06afe6c0156b634e803b714d2ccc23ac |
| SHA512 | b4b068d2830c59edfb97adc3cd295edd37899ef1bdb4e938b8243cae748b6ef12f10495ddd62ffd22297e8d168aa52836ebfd0c3b929b0acc71429db906e61b1 |
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | e9cd2a0a53243ea2f1e7a48acd61c1e7 |
| SHA1 | d31b087fc837394fcd2d74aff90092baac98e664 |
| SHA256 | e0c0a9c20d281543df8f8b2f14a67575361148a65d008dbd75346aab5f013aee |
| SHA512 | d9d831279f25122d1f5dafaf9a9983842eed4e166e0bcb2bc66ae0cfcdf50a541c095c549ae95457a0e5dd26d46ef2c6cdd1fa405353ddcd5a26fc3e71083a88 |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 7e55fa3982771c721b3f60eebe4b06c8 |
| SHA1 | b8696ff3ddc8f42196b06c25e661f59edbf7a334 |
| SHA256 | 1d47883792c37d9187147fea82355624ee4a56210ceeec190708e056f553129e |
| SHA512 | b6697678e81eeede5da919d7c1420f659e60f477d001517566e777106d1b530f7be1f72091827320097c060bf9bdeae82e6c38994fdb124cafc35548409e3675 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | a192e5b455fa7fb63c2006fa70346e5d |
| SHA1 | 4a6f5e00d87f732b15be486a5323347448c7f0f2 |
| SHA256 | c2280fc9ecbe4b856d1b222781ea2f8ceb7ade21dc82d43f4d245c6db182b00f |
| SHA512 | 5ac5295931c7dd49e34875baa3cc5afc67c359cf7ed9c489a1b41a3db2274a3936d3e1dfa4079c3e760c1c87757a7a08cdbbeeb48e92dd5e915c71b3deee5990 |
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 03b219cb2a0a5a0e601393fc0e9d5a61 |
| SHA1 | 3922d0d9f9f3aa0082bcd5cc3360e4a344e6b0b5 |
| SHA256 | 07d0ddf515212dc7b6b2c1ea43dee3af4c08634c23acc2ebcc79b634efd686a6 |
| SHA512 | 342e5256af4b6fdd3d2b945c961e02274a3df514b1c736581862613e74148088a2e88cea529141df7adc70aa8297cc17a9bffc2227207584167a90608f295e88 |
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | ec3584f3db838942ec3669db02dc908e |
| SHA1 | 8dceb96874d5c6425ebb81bfee587244c89416da |
| SHA256 | 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340 |
| SHA512 | 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe
| MD5 | b0c0310175a40fdb9ad45add5cb379e7 |
| SHA1 | 7af29a824abae03a1161d14da4454e1ae6e5231c |
| SHA256 | ca55d9c02dc158f4431d886214be4fd35621042fa3b00e4ad4a0559428e098f2 |
| SHA512 | f5d5f34759b8c96b8d72ad8e7cf447405bf29d118ea744a3d85264d5069ec817ad391803353f67746acf554c1688553e9113c8d5aca4632330c5e319dcc2b007 |
memory/1684-185-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1684-184-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1684-182-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1684-180-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1684-186-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1392-187-0x0000000002A50000-0x0000000002A66000-memory.dmp
memory/1684-189-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C4D5.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/1052-195-0x00000000001C0000-0x00000000001FC000-memory.dmp
memory/1052-202-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/1052-203-0x0000000000A70000-0x0000000000AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFD3.exe
| MD5 | f47654d7940e48d2ff4391d64da3e654 |
| SHA1 | 77d8844f3fa19d75c4beddbf0a4fc16d0c4cb23d |
| SHA256 | bbb6c192365ac1516032c5209180d04b648110bfe9e296fc60baa2c0a0163c03 |
| SHA512 | 71395e061f791bbc1f48b3939f42dfcca819c22ce60ad53b958dd8094741aedd454e6f3cfc30d762bff3b4acaeae0993c21995efc1977a0f33909fab33e5429a |
C:\Users\Admin\AppData\Local\Temp\FFD3.exe
| MD5 | 809de2d4453ebb5c24bcebc6070e09fd |
| SHA1 | 8e85e82e1c8803f6ec9083b7620a8c1468ea57e7 |
| SHA256 | 201e5a2570c617a2665743df61dc94c6e5ddca7f1e66a5203e1369d3725d3cfb |
| SHA512 | f1542c73412556a2c9de7dacbf5060240cbdf043313f7dce8292e9a98484815fb2f32f1238b912d1e63eca9d4437ce69121415abc13ea15eb6cb7092ac9338bd |
memory/808-210-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/808-211-0x0000000000BF0000-0x00000000020A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9806dd4390a53a356f626813f177594e |
| SHA1 | 748180f2c44c7715d294fc2d086de6b24b6a8eb4 |
| SHA256 | 9bb6d83766dd3688362585dd4465cc37f27aeae78c3c4d63408ff4a710b5ad94 |
| SHA512 | d3c4d8ceb95d869956bf71b3bfbee159ef3132e8080ffe21ea08004a29645e9788a092dd74bfb2b4f48dc7888a081f2972cfc5a8085d27eee8ea973eb976624e |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c360709973335d5fe6df9abb0d5bfe9e |
| SHA1 | 198f31440f6b3b4f6512298fb90dc7850e097730 |
| SHA256 | 89e3e1effc524a58caa43496537b58e8334b9535b0db2ff5fe7634c2f654245d |
| SHA512 | 186c215e673e600b6d5d261d6317d6d591eb18fd95bd43733ef18e75dad6f42580583281bd952fe765fb8949cc9e9b3dd9f29367ee84a8f97b776c9af1c19420 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3fa075747d8ecfcb944b22829fb91594 |
| SHA1 | 1af45f4bb36f6d6b9c2a3690fbdc88e6d6fa9a02 |
| SHA256 | 3da3cac6fd5eb3d007ec68654b9e5d4e2c420f86167516cb799bccaaee9b83f0 |
| SHA512 | 9ffd715ae8786ae5a133e926a1ab73405c7c2d82ae565f7b383219e57d95d5aa70e03c5e43b4129475fee20dcbf001b3d7815d440add998125127b969dd8d4f2 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b91a0a452c8a47601b49bac9cbdcf35a |
| SHA1 | a85943ae1e35b3c18ffab155fa88744e37457ac9 |
| SHA256 | 8b25147ed61758f2a3fb65f2f09497fa7f9c50af54424f747732171c1c1dc665 |
| SHA512 | e453c8eb70847692e0875c30537bf5df097fdfebb26512ff774519a75642e973b68f2d84d44d35c6a2c8a8a3f66f278f09918e6239a2e4dcd2986b642c2f0061 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 935222859823efb1eacdb14db42df8b0 |
| SHA1 | 2677a180a542596f06fbfc878d4f3929bd0a7eb3 |
| SHA256 | 8b44d957d99c98e99dbc961e3c794f0f9092d0e0fb037b286b0dc2285ca40792 |
| SHA512 | 99234743faf67cb6d6c27cf9e5d669e9c13850c279267cd3153460389ea13c51712a146f8af53f387b630d1996adfa10eb4a4409e6cc55097205534a97142f6a |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a4e96565139cdd0e0d64833f05443f65 |
| SHA1 | f8777c63fa4fbecf646f94788351ea18600948a6 |
| SHA256 | 459dd51c68295876f234564f2c49ab7484f5b06f74319f54e4872ed645575840 |
| SHA512 | 401b23a547aa3ea9d5fca301b23aeb3bb89e20c2ac28e15f58b635da448625456f2d7311782a9dd157a515f3019e475642ab92772af7547935e8a60fcbb64d10 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 3ceb3084e02ba447c96152ba86508ee6 |
| SHA1 | 400b4705893ea56d1bcccad92ce9c761ab11385d |
| SHA256 | e978d473e928562689456cc64734e6996cb7ac2364acdaf9adced6d601f37d1e |
| SHA512 | e5a30a9637674bacb5f3f15ea6ae9b01b1fdbeb6d08b9f1f9ae0add03f56b04009d8a5373fa8578ab80fd7cc5518409e0b7b6c887c640a4d1447bc0cfdbfa48d |
memory/2940-242-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 4a16c2675c43e6279a8c57cec9d063ab |
| SHA1 | fe5b9287afc96cfa437318f1807ea9a124748dc8 |
| SHA256 | 2f423db53ead9448c58e1f6037666a8ff455455cc79534eea697a38216c8e1c1 |
| SHA512 | 213c58f847805fb0712c0a6266a6498c8c3ef08f83ddccf92e37153db4f99f676810c8530047893607e206369192bf9cfedd3e5f299ec175dc505280f9dcf3f8 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1790bb0fe7f1ddac9139b79390f47489 |
| SHA1 | bdbe8cb21f72055a39f9db0d14d472968b564555 |
| SHA256 | 68004656c85859994448fa19f4a8cd8baed72698dc546852e42e1fbe3b241774 |
| SHA512 | 8c4abae4a14bc6ef7166ddd8012ac0b014e4f9c20a91168ecb7043ec9dccdb211bc2ddecd770588ddbb3c6fa851e9223a2fa83f198b2647c187e9d62b6c4e045 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 44e4c634757b831f38427bd37e6304d4 |
| SHA1 | 01e3d36c5b1c4edf4fd961ecd815dbd6d162852e |
| SHA256 | 6c55f84b12721910965307a85f50bc1befbe997360b24e5708570075e64ee188 |
| SHA512 | 30cb6d54b007d6bd4fe3fd2d77070de4a462f55490087c9cb6ae0bd1e5b9dcd0c9ff27801f92b81ac6a9e82833294476222383da437b937a2cb4d6a51a3ecab9 |
\Users\Admin\AppData\Local\Temp\is-RE8B3.tmp\tuc3.tmp
| MD5 | a9e1b79cc0fbe3b8fcc2011b3ab51a06 |
| SHA1 | 06272b170408bb7b0d1683fcbff8ba3e92fc93f4 |
| SHA256 | 498835c63d3a42debdd69110f9dd6edd62727ade64d9d50f5ff416b5a2152b92 |
| SHA512 | e6c3c45dee99b5ce596b1dd56dd0ec070520abdba38ea29adc6ea722fcc1fb65bf699a1a5001d78b4c07fafd573f1e93676f5928247bb1dc670e8eb4f0bd0b5d |
memory/808-257-0x00000000743A0000-0x0000000074A8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 9d71c100c8ca5650c0c9304ffb14ebdf |
| SHA1 | eda2c27f0986eb75f784e9ecb2c51d5e222bc657 |
| SHA256 | 7f4b3f9cbdde5d195c905893be6a59bff5820f9e19fa52f5dd98b9b188900697 |
| SHA512 | 6f5650536f2d88c70556e3bdd9afd10202f63ba80719cb118f1af4753ac86b0c44358c5da7b58e8b04a9b7fcb14ca4e438ae0551962133e5f1fe606f8ad38e03 |
C:\Users\Admin\AppData\Local\Temp\is-RE8B3.tmp\tuc3.tmp
| MD5 | 15b23e6e587550031cb2a1a7b564d49a |
| SHA1 | e80f58b2044dc8c12a4a474454c6ab4507307489 |
| SHA256 | 8622f950173e540ae1459940af14c5a851e0d1991d8dc990841103e6fb790d9f |
| SHA512 | 14cd34cbf6389d2831721d31ddcb5cba4bcb57f3020512a0d83cdb3a92bb855421c471c6151d6487587fe980f93a7feab04efe93577af18dc329bbefcf746125 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | b9dab0802e684906f4a1cb7641bbb901 |
| SHA1 | 5522c7fb8f244cbae917968701b27a5d79f54816 |
| SHA256 | 90f2fb001c8f583ee893091adb006bbc843553bf5c129361e9ea2e9505feb523 |
| SHA512 | 7591f41cf791328590d3e483586dcfe173e7e7e3ab443e04a092cbdbd4aa476856e22d4b66aaa519e848c5fea38427d0f26bc97180f0e63a9de3807fb38a6b95 |
memory/2608-264-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-PS9IR.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-PS9IR.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-PS9IR.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-RE8B3.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 23da5878e98481ac66a9e95270a7e68d |
| SHA1 | 04d08604158d95cc7c4d84d79154a81366f5e1c1 |
| SHA256 | 672e8d13b756c4716b52369896a045bdaf0e01fc28236db09ea176305475c9c3 |
| SHA512 | 7b6f2806ac71ee17baed1357906b945577c22d2a1f3883cfb2931f033c8e1fea69b1dbb51580760a513cf25d1452b5603982b7ef23ffa45257b3840c43186232 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 37226ed51f214cfc4c5c59be52531bc2 |
| SHA1 | d852d7e446cc97d9651a2acbe9ab10cddec493f9 |
| SHA256 | d296d5d26c1943e0137b08793cfdcb0725aeabb43235473e1d05cabf0ee5fc6b |
| SHA512 | 37cae323d490d6a5cfb974dda49176f50ff2bbdb12d19075dc5e28ecadbf61a3b863ae85e6e424ae27cedac21fe6da4e37562457b75264214b695cbc8b7dbd06 |
memory/2300-288-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1896-289-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1896-290-0x00000000001B0000-0x00000000001B9000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | a9246395492eecda0e4648b39fbea575 |
| SHA1 | f04f377d2f0a3e692839e47d905b97ccac5e28fd |
| SHA256 | 13cb657658eb450f1705dfe185f34b632ebb823fa79644ee42440921acc00a58 |
| SHA512 | 74ef5546a237caebd815f294becf3a3a5c99d6db01d936ead900b6cf88dfc1f56d4f33c147a2a1bbccc594c285dd74cab47800edeac6607f87be84a645649723 |
memory/2884-293-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2884-295-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2884-296-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2212-297-0x0000000002680000-0x0000000002A78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 74aa0fff07b57362a955a07b439bf0c9 |
| SHA1 | 1a505296a802ae38adadf0a1652e498911bc8656 |
| SHA256 | 2e588fdfc126d9aa099651cb1260fb77b2170c2d01337ab2ced02581c60e9158 |
| SHA512 | 8537859bdb09bd72b667d2391093debca92a635f9186d62529705dcc7b041c81092f71a45b2131629f3cff5e977d4d7a5871d371f07fa9e258061265203a8beb |
memory/2212-299-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/1052-298-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/2212-300-0x0000000002A80000-0x000000000336B000-memory.dmp
memory/2212-301-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1052-305-0x0000000000A70000-0x0000000000AB0000-memory.dmp
memory/2584-307-0x0000000000250000-0x0000000000744000-memory.dmp
memory/2584-306-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/2940-312-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2212-309-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1296-314-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/1296-313-0x0000000001050000-0x000000000108C000-memory.dmp
memory/2608-315-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1296-316-0x00000000070E0000-0x0000000007120000-memory.dmp
memory/1392-317-0x0000000004090000-0x00000000040A6000-memory.dmp
memory/2884-318-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2208-322-0x0000000002570000-0x0000000002968000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 18:50
Reported
2023-12-11 18:53
Platform
win10v2004-20231127-en
Max time kernel
49s
Max time network
89s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\601C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A063.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0fe1fde963a595f0c707fb9fa7676636.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3572 set thread context of 1184 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0fe1fde963a595f0c707fb9fa7676636.exe
"C:\Users\Admin\AppData\Local\Temp\0fe1fde963a595f0c707fb9fa7676636.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3092 -ip 3092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 1768
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2124 -ip 2124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1480
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\601C.exe
C:\Users\Admin\AppData\Local\Temp\601C.exe
C:\Users\Admin\AppData\Local\Temp\A063.exe
C:\Users\Admin\AppData\Local\Temp\A063.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-SHEJK.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SHEJK.tmp\tuc3.tmp" /SL5="$30220,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\C2EF.exe
C:\Users\Admin\AppData\Local\Temp\C2EF.exe
C:\Users\Admin\AppData\Local\Temp\C68A.exe
C:\Users\Admin\AppData\Local\Temp\C68A.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 193.233.132.51:50500 | tcp | |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
| MD5 | 4aebf881fe26c0e75fd8b1f2725060c3 |
| SHA1 | f9535010eef6883ae8e323dbc7a2214908d27990 |
| SHA256 | 600764c6cf2b175d3a732545cc190ed3c2949e965af61258551af7db6a0ee546 |
| SHA512 | 8448f50a9a0e49a4a012e7ddb59019d444304c2247871e3add3181914fa752a9b998b1133f9344df9e4e282c61ef805d5b5589aca565b392e12e5e52deb9c33c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uq1Ks67.exe
| MD5 | 3e8b067d9f56611b708e9d20faf16148 |
| SHA1 | 7ec912b66b2e6372d76e29a21efe012e05a61a62 |
| SHA256 | 4218b3c25ed845d04389a940216c5cc73584ff19a2f9a9e837a772cfcfa6bc3f |
| SHA512 | 9f77dacf0d4c927ad37179b4c291bc16d672d4b21b3e4ff6dd14b49e092fc31788119027bdd6641166c4cb2e96280b56f56a7907f15e5631e5d757fa8a1ecee6 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
| MD5 | 651e9d0047cc9ea7922cfbfa239b268c |
| SHA1 | 15061a1156dd3f0a7389e80cce8c0227d373f99d |
| SHA256 | ecdc82f427c97de9a8f22deeabbb29b793c64efc0cf6145397b89c91d36657ef |
| SHA512 | 91b423392259c814d4be7b77700066e2614185115de0f332bf65bcbf560f110a1088370a856435b464bd4c2297a76131e35020fd8d14d602a6267988d7526291 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aM6VY40.exe
| MD5 | d6dee3f5aa25bd7a8a679a05491ea072 |
| SHA1 | a28e5a45e9f3121e28c01005405af3d1bc0c9c48 |
| SHA256 | 4516aa0b783e0c85c00b1e7b5ef8838172c8a236b1abcee78075ca1ead6e72fe |
| SHA512 | b5b5b195e047d8cc88c51483efd87d67e56257b190044f9946e6adda7449c8a5cf8e97f6bebaf2be26f6ccb652175466baf833202236bb63aacabefe61730b27 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 59aff62cdbd0008f1111f2c0226a627c |
| SHA1 | 74d82a7bc7769b38f47958835761bb0e6f6fa45f |
| SHA256 | 7c6663200c4fcf0a026116a86bac03534d739c07639d281aa9ba02decda9a59d |
| SHA512 | 7d46908862437fad24f8b66ef04e8e3baa935955a84e0f76205c14d220bfb2ddce20e5df8cf80efcc47da99872fef2bc808e658920dc404b879ea2a271b7310a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ae36yW8.exe
| MD5 | 08ef5d4547ba0602d487a1c676339a45 |
| SHA1 | 5d6313bd4de2e7d2bcbcb9ecff3febc37a0ebf9a |
| SHA256 | 045a9ef6987787268f8d90a8bc12a9bb2421e609735f5c6023ac2daa7172860c |
| SHA512 | 6ed58c0379cfe6b1714799dae8fcde306e9b23389073aec02842b2d04c8ce889eb786b7db2efa3e6355ef63e6660c94cdb691ff54cbb650a9b19579b78bea9b3 |
memory/3092-22-0x00000000026A0000-0x0000000002779000-memory.dmp
memory/3092-23-0x0000000002780000-0x0000000002915000-memory.dmp
memory/3092-24-0x0000000000400000-0x0000000000912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 2e83e8d4b19074ef27ed96f0d3b49585 |
| SHA1 | 275240a7c7a6f16d05adcb115ba654fe5626396d |
| SHA256 | ea7c71f2c22f09244f4185018dc31a3f55658afdcc1f3f243fde1f94f6d7ceb6 |
| SHA512 | ffb7ca576ce3d8ac3f8f4dcc2fcff3fa43024494f318e8224f948afa0819d09b8f129b071172e2280707df18706d10f578344706b620c60355b39d9606130e0c |
C:\Users\Admin\AppData\Local\Temp\grandUIAAqh9LYtmX0tDF\information.txt
| MD5 | 5e58ec768a8aff0f19cd1ee443518e7d |
| SHA1 | a2e6786785bdb5cdb0eace230a40927174dbb45c |
| SHA256 | e152d88dce282ec4136ca7a11ad09e7b14a881ea1e00669b01dd99aef580ea85 |
| SHA512 | dc5657a91ab79d8009733012e4050bcb041a7f0d5514c99f72d2da2ecfdeb5746346d7f50488f4aa8e03881beddec4d19c3f0baf9c8d2931712089bbabd1b584 |
memory/3092-101-0x0000000000400000-0x0000000000912000-memory.dmp
memory/3092-102-0x0000000002780000-0x0000000002915000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3GA64Ne.exe
| MD5 | 879edc58e82cb359f513ee62a0bafdce |
| SHA1 | 0f500ae8484d39a46c8dd65923999a41cd405479 |
| SHA256 | 8efed3b792accd764dc37407da33d7b5600129edbedaa956e6bba34d06d3e1f0 |
| SHA512 | d064c925acc4bbaece66b4d85401c67277247d13a91452b5d8f4735287488c6c6ac5719b0ad4fa3956958bfec797c2e3dba1fe64b289df21fe0644bdb99ada99 |
memory/1232-106-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1232-108-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3244-107-0x0000000003470000-0x0000000003486000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Tt924Lv.exe
| MD5 | d7d406918520d31dbbc8f1bcb9d7d30b |
| SHA1 | 7bd5fcf1bf8b9fcc377f0384780334040d4c8500 |
| SHA256 | c2908325aeb7ddef5ac1b499ca6e685799ea7ae22febb2cb53a9149e3def6632 |
| SHA512 | c76522ca2fa610f207d0bafec5fe71164d1b7fe209ea740764f88a8d1b88b6022ed7ae112b1159b6027a9dc51e4a85e722125f4d977b0c6ddcfa93388de2809c |
memory/2124-113-0x0000000074B50000-0x0000000074BD1000-memory.dmp
memory/2124-114-0x0000000074B30000-0x0000000074B4E000-memory.dmp
memory/2124-115-0x0000000074AF0000-0x0000000074B29000-memory.dmp
memory/2124-116-0x0000000074AE0000-0x0000000074AF0000-memory.dmp
memory/2124-117-0x0000000074AC0000-0x0000000074AD6000-memory.dmp
memory/2124-118-0x0000000074A80000-0x0000000074AC0000-memory.dmp
memory/2124-119-0x0000000074A40000-0x0000000074A77000-memory.dmp
memory/2124-122-0x0000000074A00000-0x0000000074A32000-memory.dmp
memory/2124-123-0x00000000749F0000-0x00000000749F9000-memory.dmp
memory/2124-124-0x00000000749A0000-0x00000000749AB000-memory.dmp
memory/2124-125-0x00000000749B0000-0x00000000749E1000-memory.dmp
memory/2124-126-0x0000000074980000-0x000000007499C000-memory.dmp
memory/2124-127-0x0000000074950000-0x0000000074971000-memory.dmp
memory/2124-128-0x0000000073FD0000-0x0000000073FE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5FU8Id5.exe
| MD5 | b0c0310175a40fdb9ad45add5cb379e7 |
| SHA1 | 7af29a824abae03a1161d14da4454e1ae6e5231c |
| SHA256 | ca55d9c02dc158f4431d886214be4fd35621042fa3b00e4ad4a0559428e098f2 |
| SHA512 | f5d5f34759b8c96b8d72ad8e7cf447405bf29d118ea744a3d85264d5069ec817ad391803353f67746acf554c1688553e9113c8d5aca4632330c5e319dcc2b007 |
memory/1184-136-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1184-137-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1184-139-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3244-138-0x00000000085D0000-0x00000000085E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\601C.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\A063.exe
| MD5 | 060b29dba94e464f78d6c8a0c36278b5 |
| SHA1 | eb4816dd8835dbd8c2a581bbdc4da06639fc32b5 |
| SHA256 | 0f926a086d6f97cc4e5a7f69f8111956d68cc0d78b841dfdb7ce071b43865ef0 |
| SHA512 | 5ad4a7f7b2bbb70beeadc60da656f01609fcfa23759ddbc2e2d9260aefc461bf58a33109bf4c5bff16a13a29f25bce02638b8a806727d5f848234e6bb7acc5d0 |
C:\Users\Admin\AppData\Local\Temp\A063.exe
| MD5 | 066efa0d36408a0c92302f9b1e099b51 |
| SHA1 | 75b6a84a88773092005db1eba8ff39433fa4d676 |
| SHA256 | 8146beda8cb247abcfd9c138bcba05414c18527d883d0f399e252f46a023707d |
| SHA512 | 0a8c6b4d6e9fb59b2032bc13ad423cb3c1323d6466a58e9143749da4911d79576a65a352f47fc4a04688137017b04d53d548b2b2d3b814bba88b0eeeffc2466d |
memory/1556-151-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1556-152-0x0000000000B80000-0x0000000002036000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | bf258ae9964d69d2347a85eb337afa74 |
| SHA1 | 951af7fd20415df5830b42346408800d306dbbbf |
| SHA256 | 79acbd3f17f28440c150b37e4965e1b824de3642f8d31fa9cbf6c13582a8895b |
| SHA512 | 34f0d153973df213145378b754223cf8769f1095ef4b9b30133335c8d9d387023e435f463b0e4f8cffe22eae343567c3cb1bec3689866b223a4a70bca9bd4bcc |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | af6268beefd79dd0653abcfc1a68a3a0 |
| SHA1 | f66d89353e0ab76572ad103a5e91d5c53736bac8 |
| SHA256 | 4b645cada7c5a87d95c377dba08a1299d1ae4a481d17daff3a770feb3c025c94 |
| SHA512 | b298eb933f68c984dce05b2c7c264b0fd3304ebf93a5cde92dc1fcfc072ee1952a47498c2d66e70ec4e0d9b5497d2c9e216ec1fc2ec1963a4d9e393cc3f9220b |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 426b54a9126e36ea0a0155b803c622aa |
| SHA1 | ae160f291062b2a7515969b05ba73eb0261bf46a |
| SHA256 | fa0e51c9a8d761b195a6fbb72758376fd6438e32f3408eb8ad921a07bb99234d |
| SHA512 | 2836065a96c7699871a76b3a49f8f94324b9aa543b81ee8f0032f8923c48b1cfeb9cea1c14b2794c0074c4b0f8f1227e5e8477f30d3868648f2528848e8ddd1a |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 67d91d7dfd2e3b4a538cb9332272e91e |
| SHA1 | bc44b3caee1c81096ca085f33b7cf50e631849c2 |
| SHA256 | a674a3e179fdad3f5818d36a8ba0f32b6baad27e563f2daddf1f27c4601537fe |
| SHA512 | 009eb7e14f9434e860a847e86ca79f5caa066a927389f0bae8885d8d2b19253338c51b26886c00e07aaf26f972c708de45588e571d830701e2bf6a44e19bc547 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | e40d552d905860eae892c3692813a495 |
| SHA1 | e9e5da88161f15e99d898fa509b9b3bc0a6936d8 |
| SHA256 | a25367b2c0611bd237bc1b507f99cb9e49a4c483bae6dcff73e401a165f78cd9 |
| SHA512 | 4137c6813b4ea5187409d81aff148feb3fb0c8c36b1f7efa00347f89d3566af1cf236b13a97d6e149fe74293459101fef4e1f7f1dbe32771b7934568562606bd |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 07f5edd5f739db230e7384a94efe269f |
| SHA1 | 15c61cba2824dd3b9be55f20f0bf12e11879c2d5 |
| SHA256 | e0dd44be97de842e320362c639778829ce53eae84b92bcc02d26255fd2875581 |
| SHA512 | 12fa3d7d3f9fe434030cad0271cdf75607da9558eef0edc0964dbfbb2798866092c80069c5c1987b93471e95acfa84da22aba38b94c3d31e630ae68ce68485d8 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e46b1f333926951bbbd25c9053f21373 |
| SHA1 | 800baaae43e4f2518e241a2ee338631839bdec16 |
| SHA256 | 536ebee527dca68884bb79f802395aa009ecbc0bd4783723b86f9465ef25ad67 |
| SHA512 | 163b48287c0356bdb5bb429f90fe542729b3ddd028b14aaa04d588b957db855e00c6a5c48dda895f7c2d4bf35b0ce9092ad5e5b48d85186bc84cd6f73af91d20 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | a47ad363b9331d7ce99f73e043685818 |
| SHA1 | 21ab16b99ebb59b6aa25781fc1e85a2b7e86bd5c |
| SHA256 | 8e4ac46df0947823c34bcfce4e7ff4d573c97889309066c1a13d3654bf99ba4b |
| SHA512 | 4a9d6df3a610d0e45cf80081d7fd37343652352824ac265b43320953de1f44297a5ce896ff475c64c975ebf08a5b25ed9f01665f766538a474e6e55c0f2aa963 |
memory/2044-191-0x0000000002930000-0x0000000002931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 56ecb2ab61b396586fb0e6dc0844990f |
| SHA1 | 1040ba497f46107a5c95824f3359f40ec66429e4 |
| SHA256 | f03de4b928808c3e43c2905a68a2e9a707d5f537553707b0a2a57f7e00c4cfc3 |
| SHA512 | 57ffa0c6b717267607e5a7f6274594bcde4f0c32030b75b3c2b7649f52169a95baa42b4153a35f8e55266fb74e97b97c441d50ab0fafd1313a307b1389aa9ff0 |
memory/4716-196-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 0e3fddad4d36d48e26f4d4e0c4d9d837 |
| SHA1 | f40ef2251b214bce8756b2a280461ab07391851c |
| SHA256 | 9f7fbfa199e053587b0ca885c02ae4e4a13148dec69a56a3a1742f0de8e91482 |
| SHA512 | aa02914d4a1879c075c39eea583b44e53f10060865dcbafe1239f90b13aa4b4858bf8f9ce110fa4a51b256d69a6b58da8867b384caaaef85fde5fb524a3298dc |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 6ed0a8fc0921ee8791e09eff622dd687 |
| SHA1 | 89985310e1c2761f502ccd0d101723faa5bf43a1 |
| SHA256 | 50dcba7112a3dc0ba78c1056b159c6a6f55e0b93d3a8f5f5eaef4aeeb1d8e0f2 |
| SHA512 | 6daecfec32bd2ed0d04e9a382301fed09f0c67d9a54f1a3cf977621fb67cebf4d7584cb157f77c44c5965eebd9391a77fd523a2d0c31d7557ce51bb9e55d2e5e |
C:\Users\Admin\AppData\Local\Temp\is-SHEJK.tmp\tuc3.tmp
| MD5 | 38ff9d63b20b8d20e7b1fc530424b6bc |
| SHA1 | a206236715712d8d898128017009bdbcb2ead8b1 |
| SHA256 | dce23eeba28c91aa446eef9b5318cc844fb24c94ab7177e785bf155404f2dfb6 |
| SHA512 | 54df92db88fb0349ed31f9034eefe750e07c9bc8ff14f6cef8deb9a0ef8db4a2f704104ad996d414f15b264f293912db8fbac63898712f731bec9ec035e084a2 |
memory/5100-208-0x00000000022A0000-0x00000000022DC000-memory.dmp
memory/1556-213-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SHEJK.tmp\tuc3.tmp
| MD5 | 7355ea2fe5706fa6af00181a51047930 |
| SHA1 | b5daefd314738b0248fa4b5b30a002c4caa5a56a |
| SHA256 | 929cc5a33447d4c1be80a1696bd7a2b793c48bc46c4a552c8745ce6479bcfd17 |
| SHA512 | 52087fc3a0b6800623f99569f41c875d93bd7ae39eaa79e5365f231f01866d9976b04092bde50c4c682220824359bdb5e560129e511cf0eb368cbd129c891258 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | bb837b4fbd5a8e71b087fcfcd1cc1959 |
| SHA1 | e2ee4a8d645bdc903d9947e3cebeb28c003b01e7 |
| SHA256 | 5b2fd562d90165752dbeca8309ce37d24697656c3136d4354a8aa5b58a3e22a8 |
| SHA512 | 07b93c88a50f70f596b33b3b04f5a83bf7b8912978117b917b4231eec81b3332301141937bdc51998ec5c1a986a3f5c15edd49e43d7adea96bdc353972b2ef36 |
memory/1184-220-0x0000000000660000-0x0000000000661000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N54QF.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-N54QF.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/5100-242-0x0000000074860000-0x0000000075010000-memory.dmp
memory/5100-355-0x0000000007730000-0x0000000007CD4000-memory.dmp
memory/5100-358-0x0000000007260000-0x00000000072F2000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 7a42673ca17effba38e00fa689a3a332 |
| SHA1 | 60f6e1cc72502a9182a99d8b342cefcac7ce274c |
| SHA256 | 4b2fbad3dbf9999d5f75d5b4158980ec8223c6160b13517fa9bf028841301c0c |
| SHA512 | 5c4c331b8d2980ea50d7f9a43ff714c01a52c159635e202894cf104f6f96fde69ff72c5c73813df1aea511a89b26d7dfa3eb5b20c7008aa6539f156c3b9105f0 |
memory/5100-362-0x0000000007230000-0x0000000007240000-memory.dmp
memory/692-369-0x0000000000400000-0x0000000000785000-memory.dmp
memory/5100-368-0x0000000007320000-0x000000000732A000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | aa4b0519ac54033b8daa977125ac6e5a |
| SHA1 | 93bbc177be91a3de5278e1c5b16719d2fce4092e |
| SHA256 | c4026b4ca98f675a3e87a41c197cb0414b8b9b04b1e318ce8c136fb5b79c22cd |
| SHA512 | be8026a316fb19034d818262de7557193b06467a54a1aeab6160178ff880829e0133d3d37165d129f74bbc1468cf841648f0d62973f9fad2c3fa40606b53edd5 |
memory/4284-374-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 3863ce690c772eccb56c7a9e3583c72d |
| SHA1 | d39c65b8764e415804a5b30e5d829ef554b42fcd |
| SHA256 | 2c889b6c5b39f75907718a740447e3184c4db7e8dfe45ec1bad24c077bca2c45 |
| SHA512 | 359d9ae3ee71ff7457c8c89003ca0fdf42553f3161d6b5da153545a8a5d55f1db5e8d6e0bc927b90dfa6a5678d366f435c09a79c7edb844b28d9eaf24a36ce3b |
memory/5100-375-0x0000000008610000-0x0000000008C28000-memory.dmp
memory/5100-376-0x000000000A0B0000-0x000000000A1BA000-memory.dmp
memory/5100-377-0x0000000009FE0000-0x0000000009FF2000-memory.dmp
memory/692-365-0x0000000000400000-0x0000000000785000-memory.dmp
memory/5100-378-0x0000000008170000-0x00000000081AC000-memory.dmp
memory/5100-379-0x00000000081B0000-0x00000000081FC000-memory.dmp
memory/3880-381-0x0000000002A00000-0x0000000002DFC000-memory.dmp
memory/3880-384-0x0000000002E00000-0x00000000036EB000-memory.dmp
memory/2044-387-0x0000000002930000-0x0000000002931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C2EF.exe
| MD5 | 87ccbf7405527c646776a7f2e016b50c |
| SHA1 | 2b4199ecaedb41fadbe1b834d95cfc67585bef02 |
| SHA256 | 2e0328844caffbe3693e90cfb3be81b878395e8ef51138994b8b3d612f255883 |
| SHA512 | f9d4ee686629e083606b88d3269e1182e545e6b2e29e91157a02bd35cc0ff363913df56f83c0a68f763b708c2285ac4576343c2bd97460a841612083a26ce7a6 |
C:\Users\Admin\AppData\Local\Temp\C2EF.exe
| MD5 | 755af38e7b024e58102f6f2382b27b56 |
| SHA1 | f0f6448829da5489c4420626d7f9d70205ab2508 |
| SHA256 | 80897ef9693ab43f513fbc16fc22064d82ff00e13572fc3b7622f94a2d588548 |
| SHA512 | a13023c445d730b185e4ade807cb03741f79eb748c7c0c15cecc9978187cf9d81a6b89448501e71be56c94d4895bd92711b217d1905db2adf233a48ae5275d85 |
memory/3932-389-0x0000000000180000-0x0000000000674000-memory.dmp
memory/3880-388-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3932-390-0x0000000074860000-0x0000000075010000-memory.dmp
memory/4716-391-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1184-393-0x0000000000660000-0x0000000000661000-memory.dmp
memory/3120-394-0x00000000022E0000-0x00000000022E9000-memory.dmp
memory/3932-392-0x00000000051D0000-0x000000000526C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C68A.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/5100-402-0x0000000007230000-0x0000000007240000-memory.dmp
memory/5100-400-0x0000000074860000-0x0000000075010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 93d1ae60a672d06fcb5a7a28d794f463 |
| SHA1 | cba5a1f2261783d63609febebd3985ff03cef0bc |
| SHA256 | c5debcb6c646b8b6bb476c3040feae749dd5eafa9a1dd87d4e1b384258f8db4c |
| SHA512 | 01d8c24aba269d0f204e5f2dafd3202f57b0dec65e25cc577f27c0a70c372d5afe0223565194bfc0f2199a387d6732b9ba0044f76da5247d6485ae0d2ac7996e |
memory/4332-404-0x0000000000D60000-0x0000000000D9C000-memory.dmp
memory/760-405-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3932-406-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/4332-407-0x0000000074860000-0x0000000075010000-memory.dmp
memory/4332-408-0x0000000007D60000-0x0000000007D70000-memory.dmp
memory/760-395-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3120-396-0x0000000000820000-0x0000000000920000-memory.dmp