Malware Analysis Report

2025-03-15 05:10

Sample ID 231212-ba8nhsddh3
Target 0bf52ae2496ca04e7f47c2a673ba48ba.exe
SHA256 230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355
Tags
glupteba privateloader redline risepro smokeloader zgrat @oleh_ps livetraffic up3 backdoor collection discovery dropper infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355

Threat Level: Known bad

The file 0bf52ae2496ca04e7f47c2a673ba48ba.exe was found to be: Known bad.

Malicious Activity Summary

glupteba privateloader redline risepro smokeloader zgrat @oleh_ps livetraffic up3 backdoor collection discovery dropper infostealer loader persistence rat spyware stealer trojan

Glupteba

RisePro

SmokeLoader

ZGRat

RedLine payload

PrivateLoader

RedLine

Glupteba payload

Detect ZGRat V1

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops startup file

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Modifies system certificate store

Checks processor information in registry

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 00:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 00:57

Reported

2023-12-12 01:00

Platform

win7-20231023-en

Max time kernel

80s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2740 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2740 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2732 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 1180 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\276E.exe
PID 1180 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\276E.exe
PID 1180 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\276E.exe
PID 1180 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\276E.exe
PID 1180 wrote to memory of 900 N/A N/A C:\Users\Admin\AppData\Local\Temp\81AF.exe
PID 1180 wrote to memory of 900 N/A N/A C:\Users\Admin\AppData\Local\Temp\81AF.exe
PID 1180 wrote to memory of 900 N/A N/A C:\Users\Admin\AppData\Local\Temp\81AF.exe
PID 1180 wrote to memory of 900 N/A N/A C:\Users\Admin\AppData\Local\Temp\81AF.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\276E.exe

C:\Users\Admin\AppData\Local\Temp\276E.exe

C:\Users\Admin\AppData\Local\Temp\81AF.exe

C:\Users\Admin\AppData\Local\Temp\81AF.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-SSHMT.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SSHMT.tmp\tuc3.tmp" /SL5="$4001C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\AAA3.exe

C:\Users\Admin\AppData\Local\Temp\AAA3.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\B8F6.exe

C:\Users\Admin\AppData\Local\Temp\B8F6.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\C6EB.exe

C:\Users\Admin\AppData\Local\Temp\C6EB.exe

Network

Country Destination Domain Proto
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

MD5 aa2318d90ab353f9f383450efb1eb172
SHA1 795b0fa578800793b8defdd5c2cf953d89d75ed8
SHA256 8840342b60bef9ef1c10d6d9ebb19cfa196239d2d4c767fdd5e43fc51748e3aa
SHA512 ec012ab6c12a66e5262b3c3225d0dc9482b8d2e15c558d1b860a2bbcb857606a55539b949f785ca6d4c6d895cec5f447a3e3529eaf2834baf498cd04a4659900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

MD5 e65c410c473708ae4f71d476bdbc54d8
SHA1 a05759ed094a4eca38262558af01dab8a08c7855
SHA256 688e191a123facf7f9c0e170b890bc8dbaaf25d4f6e5846dbe248d7495181aed
SHA512 88affa34292f0d9b3b4c753c7f432e911039635a40aaca422d9c02a5490d2a7ce4976b683ca0dfbe1eb9dd233ab12f993c5ba07b55760a9e495334a5135f74aa

\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

MD5 6cb1ed8d4c527745a4b9f5a6e9333888
SHA1 b7c2c24c10c56f084c531465bcfdb2a08f129a30
SHA256 9f9bdbb2e445177f0a22f078a660008ab66f0d4b1807dc124b90a9d114173279
SHA512 9a3752f37d0df836edf2915ed41c4e03a26ae9f5e851ed558347a7e127423ef3e437d6da19baa4126ac871a35710baa66064707ca606af30e226e192082cb314

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

MD5 9e61b78baee0f8f24961ab6bdffe724e
SHA1 dcd5b56ec5637955f86fd8bcb3556c1768bff2a7
SHA256 bd1199b7edf4cf63214f5b2f943e352833e1f02afd9714105c08eaefa370b8be
SHA512 3c3fa7a0c1a4b6862023b5554a769fdab3d62a05361940348392cca66ec3ef9caf178e71802effb2707bddca92ae8d5fa0220e1cc4a7d255151492c5fa978f64

memory/2772-23-0x0000000002300000-0x00000000023CB000-memory.dmp

memory/2772-24-0x0000000002300000-0x00000000023CB000-memory.dmp

memory/2772-25-0x0000000002490000-0x0000000002625000-memory.dmp

memory/2772-26-0x0000000000400000-0x0000000000912000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA7AC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\grandUIAdzT1esOcc7d6D\information.txt

MD5 0d8042601cd31c5aadb69fa131cf7316
SHA1 17d11da8d5672eb7d77fd4e040e1ded3cb9cb003
SHA256 7d4588742e177e4eb56c40563e20364e61b159aaa28c41b8657aed4e184b8f12
SHA512 8e4ec2499b08a09cbeec22e32609fead8c73e449cf222063053d8140f949fd2cbb58d0eb3a3714ac464a47932b89ff5f5c04ae409e6ba4f603f325d15b9c4b54

memory/2772-123-0x0000000000400000-0x0000000000912000-memory.dmp

memory/2772-125-0x0000000002490000-0x0000000002625000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

MD5 19201fcbfd5e820ad50bbc6484c1f802
SHA1 18f4e598dc323d4e3ba9f96c672d2a677d4a69e5
SHA256 354b24cf5c64b9a883cdab84060eaf00219429d89b03501a7bb2d5e77f020d7c
SHA512 01d0bd06e9755497a63157df3d623321be1d5ed8e722d1cddcf21a4ffa5d0a60f4b23efa0e3cc64b9769cc71c867afbeeaf722c26f5cfe58da0be601d7e9b548

memory/1140-136-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1140-137-0x0000000000020000-0x000000000002B000-memory.dmp

memory/2740-128-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1140-139-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1180-138-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

MD5 d383a48c997dbb50278e96a9b5b81f18
SHA1 6b0dc122ad7dd996be4953cca0ea3583b896864f
SHA256 36c8a870673cfd45cbadf18df7dcdbbe4e991aa5fdf87c243687a1b540e1a6c6
SHA512 8a0d689b3317c0ba96bae69152ff4d4dfe59f05a356190e43ce3d4a0bd41ea232ac3d9b452dfaa42181cf7dfc621c07a5dd6413c1d0c14109adeb0c36ad076d3

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 f94a165dbf94e86442c046286f225eaf
SHA1 53d29d6965856d9f308e705804a369a62fadcc9c
SHA256 f4b09cc5db5dcccb3ce72267ed335181f79182a897397d20f3b71bbd50ac56e9
SHA512 8e7dadb01302f3809ec82d01fff0cc7abc7b2f8c03ae9d69177e3ba1b9fe00150a042c6c08bb6046a23a81e9f183f7336cb4ed1deecc0f3fa0082e323bc9a621

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 3700bc2b4a5e2ad3dd50919cdb72d115
SHA1 dca72deff2e6896f13e28f456e2eeeb2e75c9082
SHA256 0e311057062cd1f8c9b6e17e4fa4688587b0bad963e0b5ec6dc7ca33564161ae
SHA512 3318f3e735c7af371affb159de4633c07b7ebe112704d671793bf7e7c5041b614f886e509689628f1afb6845c0107ffcafcbd6102f280bc656a69435dccb1cc7

C:\Users\Admin\AppData\Local\Temp\276E.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2660-165-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/2660-170-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2660-171-0x00000000074F0000-0x0000000007530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81AF.exe

MD5 ab4a54dcf53852d6219d0061d2f41e01
SHA1 185ba4fc8f9c6949ab32a915a9054e5918e949c5
SHA256 5b43140fb82d0df94d4f5460a9647c33503e0eda6c70ce457b55fe7b5b69b4d5
SHA512 20087e5eff4440b1435724437254f2f1c83f586387d8ee90b503c16145b9c693fc9f82046cc42425fc7e03eb9a7fec23b0dfb33a6b04954c460ec9f8ba97b00e

C:\Users\Admin\AppData\Local\Temp\81AF.exe

MD5 2d2d0d3aa32f43fec6269ce4d71a58d8
SHA1 4d2dca943e7990587eb70caad0b2302a561bbf86
SHA256 285630526f426ffb7c2d7b317cc748819099ba2537a237d4d8fa1ca827a7dbc5
SHA512 821447d83fb44b8b7a186a3ddc663f557c7e83bbdb31a30f5a043c014fee833819d5de90d1c064c4b2efb5e1ab0d0cda7d302d0583cc63ee8f5db9fa98bd6241

memory/900-179-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/900-180-0x0000000000EE0000-0x0000000002396000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9cbdb49c8cfe94d3380cf3456b66d96c
SHA1 32c5d500781220052e695ca2485a686267a8390b
SHA256 49b1edd250702b352f9ed1948db08e6a540c20e67c6916e76211fe450ca675d9
SHA512 b67aa9f0a8ae905c64fc699370d81e385adc5164237e0a60e9ec693ca57ff4aa77d8c7c329486eedd41bd43e97b9416c0ebf0a7fb8928feed621c0217715ae29

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 2147553781d9c35da13a910b9c739a4a
SHA1 eb8d517eae1ed8ec3ebee84052ea930af0bf59fa
SHA256 f8ebd949ba730e4ce3e0cdf9028f37332a996918cdb00e13806c1d6136406616
SHA512 c829ba244d556fe2f4a9275a3e8b1103265c4990c18b2dd0cd5042b2786d0014f4e52c684bce940b0f4d6c8d1b54e1a988c16bf25a7023500e4681a8a6b87d7a

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 59d0b1da6248e22c448668eef019c82a
SHA1 61dc1313fc9c90a39a54ce248882f93d929b00fb
SHA256 db5a2f1340e0394a0c5400f893a62f5f2f4b9d2fadd9a01c72322f235abe2d08
SHA512 9204c6caf33d40afa12abeb14a35dec1d341ee3a8c196e4a8ae6b041af4c8d5560356f598a4c43d9adb46f6cc5150541149c534170076a2dcef80ca012ae40e8

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1443c35afa950f86e849dca2a9081678
SHA1 e393b037d5bc43ae4d6ab5ee7468359518a87eef
SHA256 cbda4303a924161f7ca0ad9dfd7faf7ac98b5ef6e563808a036392489bbeb68b
SHA512 15fbe85e7d00a1f20754fecabb1c4d6855b387552f11df000f4225a981ac67804950bc1fae8c3c617eba86f862edbba18a818296e3a21066b1f4fb15c6c84997

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1bd2abd730144db8dbf95a90be12aee5
SHA1 2fd32d9ebb66189eb6baba759428c9a181f7bc45
SHA256 0ba53157c5dd501b6f7c36119aeab0065d15b5f05a1896ec34390995d37a98fe
SHA512 3c6e0e8c14e6b27e5955e6768a646e47f58c974866c4f5157594970f28cd9ced0792d6500cc16bb7f83df1436f32d6ebaefee5d03c018307141ee910fa6e16ac

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a4542b70eb044b317ca2731ff6233d19
SHA1 a1bb10e671d0ae68eab9e304b34b493585e81e7b
SHA256 4d97a7ff95ecd7498b9f64851c4b271ddbf357c898ea7073079c2f471d635a86
SHA512 e4144e8d26b3f1ccedc2aa1803a473f125cb84a23235d6e846a1559765da0b89fd2861cf4611adca1dba5656a7ce943a49d2cd624f849b5613ed6262a97a9f9c

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 757d573b62637ee0f85f94e182b7e2bd
SHA1 ea8303b7a06f2764fb463950a7b9a26a0f974d5d
SHA256 0c9353924f54f3aebfc637d3107d18f3fcdacaf5da04995f0659e9436f340c3e
SHA512 dbb9a2587937456da2028bc9421363216f9929a0ae72d1eb1ed5a76e34b1d73c4479bd90d2e0222a25fa2c137b720c09b6d35962f1273f3090dbbcc8ea481837

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 eb531d81b8b7b4e7e6a5c91556d78281
SHA1 adfd40f48a48b0fd0e8a427e2a19b9051f946530
SHA256 47c8e2e9026f6acd497524c3e4dd910712fae8e0f24d5979e857d9b96f9b9b8a
SHA512 c38c980c83634f36ef24632bbcf2dab255016354d4f9cb2ef00ef21b1d9817cfa13a3daaecc0daa62db78d849ddf2050d93030f50083e0ddc06b035b7a7fbc11

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 94649f283776ce0bc4d9480e32582a50
SHA1 52c15c4f177269217727342d2f318a3d78b449e9
SHA256 198cf5578b0dc9150e020727d05d910dd8241941bd7ffe54fa494f799860ce8a
SHA512 b342818b22ab480acb80738b0dc2bd7cb2e67fe57c00009f949ba04410c9ce692d6428b391725a3e88fe59cfff7da211c23075ed5c6052c66e5c2768725a5f67

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 315283edfb9669f4e36189fe591a9741
SHA1 8b428b50643a688e73eaea880e3fba39c2addca9
SHA256 31643fc0c9205763f3a8afc73ebbf7b3a47d613cd74d0d6f1fc3857429427f19
SHA512 50bfc177cc511e3efa893b6e57d979b539dadb31af4e9cbca7059f40d3a981a7b3d4d8227b9e004c73c97fbe2f08e54a7af2efc336485e5e6eb51eb79eeca247

memory/1636-219-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1132-218-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1528-211-0x00000000025A0000-0x0000000002998000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SSHMT.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/1528-227-0x00000000025A0000-0x0000000002998000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-0GKO7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-0GKO7.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2828-243-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1528-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-0GKO7.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1528-260-0x00000000029A0000-0x000000000328B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAA3.exe

MD5 e67b214cf73509e275b0d6af277a3bf3
SHA1 182e70a3013a8593eead43ae76e77c4575365a75
SHA256 8aa9ab26694446b56dde979786200588e65b4fb1cc37b9695ced01af96e94fc7
SHA512 e66843b3266aeffa47e9fb18378b8553c4288f5fec384f5a1447b3681ef58a2f98e19be14535cbb990a4140444d2565e0f2820fed103d86bac1ad02f9f62f6cc

memory/2060-262-0x0000000074C10000-0x00000000752FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAA3.exe

MD5 acb8dfe2a59269f234646bd97c4923bb
SHA1 9cad51be78e0100dc2050af40ea29872477660af
SHA256 aafe4b3e2cb65c4de6246c5635a58b007993baf056c78f2f93a65b76206fb30a
SHA512 356be3d38b8dc48891b95e7ea8525a1eaff94b0a7e9d25f4c32f6faf09866ac04994b01f209869fac01d7cb4f7432cdd6b25fae41f27241189960488f2bf3805

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 da5373cd6c63f0b29e53690c218b2ac3
SHA1 85320b3df2e2acf94a61773fe7d2039e21eda187
SHA256 1ab0329a300e89dad09e93fb188d2796eacbe468df48d4fc6fba752e342752fa
SHA512 aca50feae54f8898a9ff4c7629dfbbe1cc333bd68409d68115c7c379e55c21a995c97db7b70f3e29446e8d8837b0db63a10e08c97468c1323fc9c6630451fbef

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 61e517047c367a81ba791cc9244a892e
SHA1 ddd00b4323d6155e14a198e88dd6642d774666c3
SHA256 2790d313d421450fd319c074da6f95645eb38edd0c66f95a5d90b930c6571144
SHA512 bb562fbb8d64da9ce175ae0cc5824c8f2b241acc6297d1ebf2d9e95abd6bef8875f0503423f62c7fd2921925785894e531fdef8786d4f5602400a3ed4940bac9

memory/2060-267-0x0000000000110000-0x0000000000604000-memory.dmp

memory/900-268-0x0000000074C10000-0x00000000752FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8F6.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1288-274-0x0000000000BD0000-0x0000000000C0C000-memory.dmp

memory/1528-275-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1132-276-0x0000000000400000-0x0000000000965000-memory.dmp

memory/1288-279-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2060-281-0x0000000004EE0000-0x0000000004F20000-memory.dmp

memory/1772-280-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/608-283-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1772-284-0x0000000000400000-0x0000000000409000-memory.dmp

memory/608-285-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1636-287-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1772-288-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2660-289-0x0000000074C10000-0x00000000752FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 00:57

Reported

2023-12-12 01:00

Platform

win10v2004-20231127-en

Max time kernel

64s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2384 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2384 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 4904 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 4904 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 4904 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 4904 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 4904 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 4904 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2384 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2384 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2384 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 3208 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E9F.exe
PID 3208 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E9F.exe
PID 3208 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E9F.exe
PID 3208 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC81.exe
PID 3208 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC81.exe
PID 3208 wrote to memory of 4824 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC81.exe
PID 3208 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB67.exe
PID 3208 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB67.exe
PID 3208 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB67.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2108 -ip 2108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 628

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 608

C:\Users\Admin\AppData\Local\Temp\8E9F.exe

C:\Users\Admin\AppData\Local\Temp\8E9F.exe

C:\Users\Admin\AppData\Local\Temp\DC81.exe

C:\Users\Admin\AppData\Local\Temp\DC81.exe

C:\Users\Admin\AppData\Local\Temp\EB67.exe

C:\Users\Admin\AppData\Local\Temp\EB67.exe

C:\Users\Admin\AppData\Local\Temp\EFCD.exe

C:\Users\Admin\AppData\Local\Temp\EFCD.exe

C:\Users\Admin\AppData\Local\Temp\F80B.exe

C:\Users\Admin\AppData\Local\Temp\F80B.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

MD5 aa2318d90ab353f9f383450efb1eb172
SHA1 795b0fa578800793b8defdd5c2cf953d89d75ed8
SHA256 8840342b60bef9ef1c10d6d9ebb19cfa196239d2d4c767fdd5e43fc51748e3aa
SHA512 ec012ab6c12a66e5262b3c3225d0dc9482b8d2e15c558d1b860a2bbcb857606a55539b949f785ca6d4c6d895cec5f447a3e3529eaf2834baf498cd04a4659900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

MD5 9e61b78baee0f8f24961ab6bdffe724e
SHA1 dcd5b56ec5637955f86fd8bcb3556c1768bff2a7
SHA256 bd1199b7edf4cf63214f5b2f943e352833e1f02afd9714105c08eaefa370b8be
SHA512 3c3fa7a0c1a4b6862023b5554a769fdab3d62a05361940348392cca66ec3ef9caf178e71802effb2707bddca92ae8d5fa0220e1cc4a7d255151492c5fa978f64

memory/2108-15-0x0000000000B90000-0x0000000000C5E000-memory.dmp

memory/2108-16-0x0000000002820000-0x00000000029B5000-memory.dmp

memory/2108-17-0x0000000000400000-0x0000000000912000-memory.dmp

memory/2108-19-0x0000000002820000-0x00000000029B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

MD5 19201fcbfd5e820ad50bbc6484c1f802
SHA1 18f4e598dc323d4e3ba9f96c672d2a677d4a69e5
SHA256 354b24cf5c64b9a883cdab84060eaf00219429d89b03501a7bb2d5e77f020d7c
SHA512 01d0bd06e9755497a63157df3d623321be1d5ed8e722d1cddcf21a4ffa5d0a60f4b23efa0e3cc64b9769cc71c867afbeeaf722c26f5cfe58da0be601d7e9b548

memory/4712-23-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4712-26-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3208-24-0x0000000002B60000-0x0000000002B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

MD5 d383a48c997dbb50278e96a9b5b81f18
SHA1 6b0dc122ad7dd996be4953cca0ea3583b896864f
SHA256 36c8a870673cfd45cbadf18df7dcdbbe4e991aa5fdf87c243687a1b540e1a6c6
SHA512 8a0d689b3317c0ba96bae69152ff4d4dfe59f05a356190e43ce3d4a0bd41ea232ac3d9b452dfaa42181cf7dfc621c07a5dd6413c1d0c14109adeb0c36ad076d3

C:\Users\Admin\AppData\Local\Temp\8E9F.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\DC81.exe

MD5 fb6901c41fa9f764cf089a1460f29f16
SHA1 3bc6a40a33dcf0d3568e8017768973ec842cac37
SHA256 68745d072e52267ff5dc3ef59e5be10c8f49fe575d62df14a71da9ca180275b9
SHA512 686354ec5619d000ab2cff559146aad4a292ced9968e5c4fdbd83c0f1bf7d8a3782a93ec228c8de07ff7770c7b722845a4343de0e08d764f659e24cff3a57a8d

C:\Users\Admin\AppData\Local\Temp\DC81.exe

MD5 ee3e7c185246b429a56170842f97a892
SHA1 fded035d652832ec9835fa747cb88d162260362c
SHA256 4984bbfec727b8d1ec6f85c8862df9c40e46d87670a6f9180d7596cf3c7e7e82
SHA512 18655475b227ea06a7f4854c1c4e724befb6ba3c0371d89f6b6335b27ffdec89aa4ffb32b4d46ed5ac28271bfb761beb9a4e7ba4247393bcccca309ae080ca7b

memory/4824-39-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/4824-40-0x00000000005C0000-0x0000000001A76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB67.exe

MD5 e67b214cf73509e275b0d6af277a3bf3
SHA1 182e70a3013a8593eead43ae76e77c4575365a75
SHA256 8aa9ab26694446b56dde979786200588e65b4fb1cc37b9695ced01af96e94fc7
SHA512 e66843b3266aeffa47e9fb18378b8553c4288f5fec384f5a1447b3681ef58a2f98e19be14535cbb990a4140444d2565e0f2820fed103d86bac1ad02f9f62f6cc

C:\Users\Admin\AppData\Local\Temp\EFCD.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/372-50-0x0000000074CA0000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB67.exe

MD5 a5d9bb5e56be839cb6987103f437b04d
SHA1 e72f4ccd0afa39a66ed7b2503840a15aad61b35c
SHA256 15c458a7e9140e0e3537ed97ee258747af74b889d2e76d36f6faa8706355a3ba
SHA512 3a2202b824f26c79c4ae0d9a3f57a03a5d5b03caefcdc1d79c743b28723696786df27633ab2044551e13fb0d391e2663801f4edba61302fdd8c623177ab9dd00

memory/4612-52-0x0000000074CA0000-0x0000000075450000-memory.dmp

memory/372-53-0x0000000000EC0000-0x00000000013B4000-memory.dmp

memory/4612-51-0x0000000000F10000-0x0000000000F4C000-memory.dmp