Analysis Overview
SHA256
230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355
Threat Level: Known bad
The file 0bf52ae2496ca04e7f47c2a673ba48ba.exe was found to be: Known bad.
Malicious Activity Summary
ZGRat
SmokeLoader
RedLine
Detect ZGRat V1
PrivateLoader
RisePro
RedLine payload
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Checks installed software on the system
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
outlook_office_path
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Checks processor information in registry
outlook_win_path
Modifies system certificate store
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 00:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 00:56
Reported
2023-12-12 00:58
Platform
win7-20231023-en
Max time kernel
49s
Max time network
82s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
ZGRat
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B339.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FA86.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe
"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
C:\Users\Admin\AppData\Local\Temp\B339.exe
C:\Users\Admin\AppData\Local\Temp\B339.exe
C:\Users\Admin\AppData\Local\Temp\FA86.exe
C:\Users\Admin\AppData\Local\Temp\FA86.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\39B.exe
C:\Users\Admin\AppData\Local\Temp\39B.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\BA7.exe
C:\Users\Admin\AppData\Local\Temp\BA7.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp" /SL5="$40160,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
| MD5 | aa2318d90ab353f9f383450efb1eb172 |
| SHA1 | 795b0fa578800793b8defdd5c2cf953d89d75ed8 |
| SHA256 | 8840342b60bef9ef1c10d6d9ebb19cfa196239d2d4c767fdd5e43fc51748e3aa |
| SHA512 | ec012ab6c12a66e5262b3c3225d0dc9482b8d2e15c558d1b860a2bbcb857606a55539b949f785ca6d4c6d895cec5f447a3e3529eaf2834baf498cd04a4659900 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
| MD5 | 2d3aae2d6007fe6a223ab65d7ea692a0 |
| SHA1 | 5d8a422b0c539a5cf5e46122462cfba93f1775c2 |
| SHA256 | 8b334f449960303386f42dcd18396ab6b1c1653144eb10b568638c452f77bc98 |
| SHA512 | 9232bcf6ec8892db10be299e280a1f90e58c282c30741e01331ef40d2d0ba33062ca6b4c1428a4270e2ccae2c63fd1728e9cd83b39a18ce0821c9edd08d3ea3a |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
| MD5 | 9e61b78baee0f8f24961ab6bdffe724e |
| SHA1 | dcd5b56ec5637955f86fd8bcb3556c1768bff2a7 |
| SHA256 | bd1199b7edf4cf63214f5b2f943e352833e1f02afd9714105c08eaefa370b8be |
| SHA512 | 3c3fa7a0c1a4b6862023b5554a769fdab3d62a05361940348392cca66ec3ef9caf178e71802effb2707bddca92ae8d5fa0220e1cc4a7d255151492c5fa978f64 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
| MD5 | c9a6db8114e5010f3f627056bf0a13b6 |
| SHA1 | 93e53b3e064ae315f887ecb9bf52d47ee2e5f2ab |
| SHA256 | 0080021c5025a44059facb8d08de070ce21da0907c78327979cae34f0b3f782d |
| SHA512 | a4b727d8c2f92e36a3e3ae0d0c9662b77c1db13abe04278c59f13725386aaa70224538d730d976259c7b3aa3486c6e26af11fcdd07a5d893c1e5aa06b81ab561 |
memory/2404-23-0x0000000002490000-0x000000000255B000-memory.dmp
memory/2404-24-0x0000000002490000-0x000000000255B000-memory.dmp
memory/2404-25-0x0000000002670000-0x0000000002805000-memory.dmp
memory/2404-26-0x0000000000400000-0x0000000000912000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar4F8E.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\grandUIAoD3b3fyhKfy42\information.txt
| MD5 | 9359b7020edb0e527a36fb0ddd14af92 |
| SHA1 | f86d460b3e8e48ad9df1fe4c4974e284858c9859 |
| SHA256 | 57b0b041ee50b67b5f461f58fe218968f54209e9f485e5905636dac165068680 |
| SHA512 | cf65f22763858682ab1defd3283e1d3f17d0076a6afc2c97ee200cdbb1dbcef92d35b54dce5d5e1e030be259ed74b13a75def8ebf938eb6f52f79f27913be160 |
memory/2404-123-0x0000000000400000-0x0000000000912000-memory.dmp
memory/2404-124-0x0000000002670000-0x0000000002805000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
| MD5 | 19201fcbfd5e820ad50bbc6484c1f802 |
| SHA1 | 18f4e598dc323d4e3ba9f96c672d2a677d4a69e5 |
| SHA256 | 354b24cf5c64b9a883cdab84060eaf00219429d89b03501a7bb2d5e77f020d7c |
| SHA512 | 01d0bd06e9755497a63157df3d623321be1d5ed8e722d1cddcf21a4ffa5d0a60f4b23efa0e3cc64b9769cc71c867afbeeaf722c26f5cfe58da0be601d7e9b548 |
memory/1264-132-0x00000000000F0000-0x00000000000FB000-memory.dmp
memory/1264-133-0x00000000000F0000-0x00000000000FB000-memory.dmp
memory/1340-136-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1340-137-0x0000000000020000-0x000000000002B000-memory.dmp
memory/1192-138-0x0000000002A20000-0x0000000002A36000-memory.dmp
memory/1340-139-0x0000000000400000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
| MD5 | d383a48c997dbb50278e96a9b5b81f18 |
| SHA1 | 6b0dc122ad7dd996be4953cca0ea3583b896864f |
| SHA256 | 36c8a870673cfd45cbadf18df7dcdbbe4e991aa5fdf87c243687a1b540e1a6c6 |
| SHA512 | 8a0d689b3317c0ba96bae69152ff4d4dfe59f05a356190e43ce3d4a0bd41ea232ac3d9b452dfaa42181cf7dfc621c07a5dd6413c1d0c14109adeb0c36ad076d3 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | 04ce4714a28ddd4c4e419cec9ccc680b |
| SHA1 | 51d99ea9183bb80bacc0fafde1a9d84b9fd1f790 |
| SHA256 | 20013318e9392eb632d3b2017df8e29657246b58a22f92942af5f7a5ea5325cd |
| SHA512 | bdefd9fb89dca8956fe7be24bf6971882ede31248fe93cd3b715908f2d0e61e70216fb1b16745c41a7a9709a4d0de9d49d87382aacc08fc6f53c4921f6b951b8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | 406debeb583fdef735a54afca5f6588d |
| SHA1 | 8f40a8409c5b4ababf8773d186243468ebade7e4 |
| SHA256 | 4c6be38a795d27e5e5e5a2576b78e4b8009deefb997b72ab0aa2b6a0e1a10c87 |
| SHA512 | a1457f4ee45ee94c1ba1abf78fdf018aae104ae9297a8ba11a86c784d43fbd7db6f9d7dcb11509b9845e083b15c385e091baa9956dc2aebd946f6b037a7cce68 |
C:\Users\Admin\AppData\Local\Temp\B339.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/2132-165-0x0000000000200000-0x000000000023C000-memory.dmp
memory/2132-170-0x0000000074DD0000-0x00000000754BE000-memory.dmp
memory/2132-171-0x0000000002710000-0x0000000002750000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA86.exe
| MD5 | dc1060ae69a91f594aab5337d6a12d0d |
| SHA1 | ea70aede766870b6db6555cefb73dbb28e250cc0 |
| SHA256 | 9ca743a2ddf85a166aff2a7a6794e561b0a7e38bfdaf445e2207a92d437c501d |
| SHA512 | 634c5b770952052c1e3345773f4350f2de114ad966d8454166b03af9f3b30795a9e5b9ad3d07d99bebb8e3f86e0d974da7468acab2975a65c855c4779d0dad93 |
C:\Users\Admin\AppData\Local\Temp\FA86.exe
| MD5 | ae50a02211eb2cdb7c8fa8d931d0b173 |
| SHA1 | 273d6fb09590e5f4ee67756d45e158cf04033023 |
| SHA256 | 6e53b42301dad111084a6da6a20b8bf50f3f9ec1c170fc3c57b402f1a0373c01 |
| SHA512 | 246d98259fee22aa9f8db4df8a34cdc44abcacb97222f0638e34555f0bc20be19cedab018a94c2a6c52e2d1149afc1c5cb595d0b44635d46112a22c9ce6972f1 |
memory/1548-178-0x0000000074DD0000-0x00000000754BE000-memory.dmp
memory/1548-179-0x0000000000C90000-0x0000000002146000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | d454d40f3e767308d1acc6ff0aa24c13 |
| SHA1 | c2865b6e6a023036fa3d571f011a51ce5654e1bb |
| SHA256 | e75f67e64bd2dcbece728c3ddc583e65b4069f676e5bace86b345cbc2c97a067 |
| SHA512 | 90d11c812220f3669127eebb9f56e7b98e192258c2effc902f4a6cf809a92ad8bfa024d84272f6c262d0a3dfe827c262e935bbf508c2af154c21972728bf0d0b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 4d2aa827c7e5e2df5624e59ca3ed670f |
| SHA1 | 6713a7b2ea62d4881e733f2cb1ce1509241b5a54 |
| SHA256 | f89d9eb4adb34a02cebdf76fc3f618a99fcf644f79febf9d1d67b81a96c0d649 |
| SHA512 | e3b437f8a0b88079422625f9baabcd7f033112473d07e884cd8d805b6c74ff8a017da4486a4955dede3b6f502fa05fecc41b8e5ed9ac0939dfb41e70e519b1cd |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6633216edc91d0d56c07859c4682d791 |
| SHA1 | 16b7f37032c6b47a1873ea776ddb31d96ed349fa |
| SHA256 | 882476be71cae2c1c6dc3e324247500020195ee4ac07d34c7e2692002ff4210e |
| SHA512 | 50be9993dd62369d20f215ea5ecf91e788ac464d01079401d14884506d5d16d8cec286024d71a26ef0a8589b6b7f4c7de71740e1e63f65e52b758ccb0f12e237 |
memory/1752-212-0x0000000074DD0000-0x00000000754BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d58b7abf32e67ecfad00b9d9f34d7e16 |
| SHA1 | b75368c7b1d6ca5c3afbcb513d02ca5324b8df47 |
| SHA256 | 6f2201a6aac01181e6def09b3c8317e2d138b3b8287ef564109aa19a169b774d |
| SHA512 | db22a922b723d8d7216a124943492151a668dce49432bf5e79b2b60c8c5ed798a461efe14ac958bfebc865c86314d33b92f990c891e76be290f5192f1061aee5 |
memory/1752-214-0x0000000000F50000-0x0000000001444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 82d5b92c96e783a61ed32622b3e8dd00 |
| SHA1 | 32547137b21f91ad5da322f8d165ca6d729bd68d |
| SHA256 | a5ef4fc96427e8449b25d9c6258e828dfd1fde36ae3c469cb5b0a3c67316c1f9 |
| SHA512 | 0c98593bca60ff76d0862fb2eae50a39732123fd46588c81897116022178c6e6cb7625d5ef57ae1976a2b79886a9687df2071509e4e87443d29fb2bce6ed4273 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 85c5c383fe35bf71b0ce4d11fcc39754 |
| SHA1 | 9938099251a260599dadc4aef6b487cd87054ee2 |
| SHA256 | 9385da9cd4d034528f34663e1e36e16d5f1c13944ecfcb760da89cd71abb0dd1 |
| SHA512 | 9512794558b0630d013a6f9de0a1ab28e4b25ae51a1d363821912680c7287a7132c8b6d8d68db827fc6594373943ed70299aecd7d4ce172a0ede0a62a7d7e7e7 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | dd56678c28ac3fb23c087684efc3122c |
| SHA1 | 9a0585b9508c5ce1ac55435750a63e9438aae9a4 |
| SHA256 | fc9621e1387dcb21ae6e025b59c67975f8d1cb534b5b53e0857ad0a1ee61f1fc |
| SHA512 | 24c7002953c834ac9cc08fdf5ceef643404212bf1d81c087a1004cc97053f810bc1eef7e352f124336f14c0068716f46649c27c77ad9660a264b564283877dfc |
C:\Users\Admin\AppData\Local\Temp\39B.exe
| MD5 | 00faa9bfe982e0083b0e879109f2658a |
| SHA1 | 72fd026b87deb0ae39d8a56bd2a5bf41a100d2ad |
| SHA256 | d96f8eb876e043adfc83eef9bdb303179bf4fdd8a5e1028e20824acc4652a96f |
| SHA512 | 845b11dfadfab74fc468f52f153fe4be65c53e5d8ad435ced2a2bc8e20f5dc6ee53171cbb7942c4de7a7f2d74d19d4f05b4ce87e2e7a1fba07b8e4693abb9c87 |
C:\Users\Admin\AppData\Local\Temp\39B.exe
| MD5 | ef7c18462f31461780fc8ca8048229a9 |
| SHA1 | 0fe49b944a9050d6f2b0a9d218a9eb9407727e59 |
| SHA256 | 7f933c3ffc5ef0c505d1567907c792b03f932cb0b4c81f31f863291e9a9524ea |
| SHA512 | baeaaa654df528537608f17118cc85d191e8cd4581f0da52d10b38142f11153caa45b73e40e3a467e14ba4cfb875659f592209b9cdb00d3d2b9c9eeb3a40ded0 |
memory/1752-215-0x0000000005080000-0x00000000050C0000-memory.dmp
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 7d140a16ef6bb341ef59f9cfb3fcf10b |
| SHA1 | 1f1b74c79ccc466006d90e7cb587987649aea99d |
| SHA256 | 757509b9709455672c2d94c8c1bfe5f4ce3ba0e8364145234741b6ab6dda8f32 |
| SHA512 | 762aca2023643a957a58c43ad6cf007742c2caefda031709f7c5cace05326bee264156e5817ba7b8f1070eda4e14c86bc8a8ae37e6a50c1915d9e5f4c24be5e9 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 58db05baf92894654db3a97b59f3529a |
| SHA1 | 60104ac7339ab95abddc3371caf1a110aac25758 |
| SHA256 | 391aeb4db731e53a8d23f0a9bc6a7fbc1e04a1bf8714e5044116f5b71119c2cc |
| SHA512 | deeb617240136fd20bb08d3f4521fb7035d85c37007aac0076e0355d42a77739bd44751917655e47c88e2e156f441d2afd3432828e13168191c5bffdcd5f64cc |
memory/1680-225-0x0000000000FE0000-0x000000000101C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA7.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2168-229-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1680-228-0x0000000007180000-0x00000000071C0000-memory.dmp
memory/1680-227-0x0000000074DD0000-0x00000000754BE000-memory.dmp
memory/3048-230-0x00000000024C0000-0x00000000028B8000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 3bd13c4ddc6c3dde63a235c7011d91f7 |
| SHA1 | 92de8deee97ca2bf904be6caf7419d92526654c3 |
| SHA256 | acb3e458fff01962fa075a476752f6f623ced08829c51db11aba5a0a539139c9 |
| SHA512 | 3f02dde861351d9e602398472253bb7dad92a3e15e1b1e118821f5fa2448e59e2c632a890ec69dbca41267388574201693e1f72ca6529ca0e832a59db1816b47 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 0784c8f3a0b3797bbcb087a519de6d9b |
| SHA1 | 3063f6182155d3592fcc8b3ee4bc3930a4f4a510 |
| SHA256 | 658af9ab7d34d9c3e6f897acdfac6be9b893f7ede559d391400d8516033aabff |
| SHA512 | d4c9afaa7db59e98997cd185a031633fd6ed9d4a52fb0e5d0ee588b8c77ec5cb53affb40ebd786e976748c1d7d7bc1f7141f8177e1c7b69b86920a7b25802a40 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 599cbe2b178944b485a3afdbf920ba69 |
| SHA1 | 75c8b79e5ebe03e16410bd7aac127056463a65fb |
| SHA256 | f77d669895fc43727e31bed38f5c539b39b44a28a9eaeef5eb9afbe21e1f5512 |
| SHA512 | 6892115c68b2c173aac1ccc47c42f87ed70012edcd79f2b055cbbde897f0e1392553a90cebfc842f39f05e2b79cb3cc33ff20e01a9b9e985dd4df87c19a67a25 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d22367617a156ca31417a6a3cc7c00ef |
| SHA1 | 35d391f668e6af3a0b584bd931d9992757bd3b73 |
| SHA256 | f68c5480a6fc1b0f839705d8de14048febcb3ddf2e78bb054cdb3667a500ad4d |
| SHA512 | 977ac54731ef96b64cc19cab43b0389d51cd5bc0ec0cd4b1787e4b55817bacdd5da4e24fff906d85160d97f55040002bac09c42b2d6f6bc37bf4d1f5fcfe4a72 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4998c0dc03efefbfd67b128d58afe3bb |
| SHA1 | 4a347afcc7976caa4ea8ea36ab3cc7b8333b2795 |
| SHA256 | c5ff10956d0a65a5ab442975ae03ac4e36aaac9e3d84337462397c0002e42915 |
| SHA512 | c055905b74a96972b469bade3a8bfe7ac6371d9d1cc8e9740571c4d696fb24365473c1ff1abb12acca6f04c747764c1a947f70bc3c1d675b69671e289748953d |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bccc653191ebc89a9f41eb2f0387fcc4 |
| SHA1 | a35323c982545b3b202fbf364890bcddc18a604c |
| SHA256 | a061ac058f0fa777e1193248031a6eba6351452a368d7269c5abfd6d49cf613f |
| SHA512 | 0f6918ccb5ba596456fe16f0ae77a39fe54a02e4e1e436aa090f6564321013f2b711a0811c30244c657756d7d4b16a22b03879ff71a2f8946f10cde8f629777d |
memory/2668-253-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 352f20902c20e94f91beb90811de3007 |
| SHA1 | bd940ed46406cf5a63ec270c1a27b82f6864dc1f |
| SHA256 | 5f70cdc0a882be903c6a07251ad13a3c4b228c41457b6056428a38c68b652cee |
| SHA512 | d5f5a208df231eba5bf2b29870af745d28589619d3800b39364bbe43f95b81f7cdaa411b94f56da0b6a0ccebbf3cfea32a65bd264b77167fa79327c88962017c |
\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp
| MD5 | ee6dc075a36ac331227faa53a152d9bf |
| SHA1 | 832fc3a38fa725c9666e3ddeb093e69d7e4bf279 |
| SHA256 | 16422b7f2b84f652b342b093fafcce2ca3b00594748baf938942949b1b1e91c7 |
| SHA512 | 016f833ed8cab38c094709edaf35cf39c67212c084c79959f42ce1e9ae4cd3a1cf891c1356e941b9803bba9549b1659552451d87f93296838969a7ef7bb3a4e9 |
memory/636-252-0x0000000000930000-0x0000000000A30000-memory.dmp
memory/1548-250-0x0000000074DD0000-0x00000000754BE000-memory.dmp
memory/2132-249-0x0000000074DD0000-0x00000000754BE000-memory.dmp
memory/2668-248-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 2f840e836a3b3982abc18902115118ba |
| SHA1 | 9ec1db981fd655d3b33e9108e9154e8e5ed5063d |
| SHA256 | fb00854a00eb85b6d7cdeed6010a9008a5c7ed0d831f722efb806a3daf9afdd5 |
| SHA512 | bf9e5267e8ffbfe4376a768cfc59a5aa9e78bedf81f0afae93c4d6dfb1658ddebe7de8603d0f320b8b2286cf71c79dc4d9490ec608a05de2556b776d3ecf4734 |
memory/636-238-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2924-236-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2132-259-0x0000000002710000-0x0000000002750000-memory.dmp
memory/2668-274-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-N0UQ5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-N0UQ5.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-N0UQ5.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp
| MD5 | bb36d45940b1a72d764c55fa888cd08d |
| SHA1 | ecb002845b743154f99cb108e22607eb8174f0c9 |
| SHA256 | fb3e1d7cf7df81453aa65556019ba08b9806504a78262e13d3c4dc9959acd6dc |
| SHA512 | e0a3d2b1fb8cefebacb94eb2e1de2a90cecebb4a8a3282a31a36fa6ab215bf745fb4cffd317f5e5b8be8219a680200ee4c74d313652ec061921afe627215d928 |
C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/2088-275-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3048-280-0x00000000028C0000-0x00000000031AB000-memory.dmp
memory/3048-287-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3048-288-0x00000000024C0000-0x00000000028B8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 00:56
Reported
2023-12-12 00:58
Platform
win10v2004-20231127-en
Max time kernel
52s
Max time network
81s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1B72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5DDB.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe
"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1692 -ip 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1768
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
C:\Users\Admin\AppData\Local\Temp\1B72.exe
C:\Users\Admin\AppData\Local\Temp\1B72.exe
C:\Users\Admin\AppData\Local\Temp\5DDB.exe
C:\Users\Admin\AppData\Local\Temp\5DDB.exe
C:\Users\Admin\AppData\Local\Temp\6474.exe
C:\Users\Admin\AppData\Local\Temp\6474.exe
C:\Users\Admin\AppData\Local\Temp\66B7.exe
C:\Users\Admin\AppData\Local\Temp\66B7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
| MD5 | aa2318d90ab353f9f383450efb1eb172 |
| SHA1 | 795b0fa578800793b8defdd5c2cf953d89d75ed8 |
| SHA256 | 8840342b60bef9ef1c10d6d9ebb19cfa196239d2d4c767fdd5e43fc51748e3aa |
| SHA512 | ec012ab6c12a66e5262b3c3225d0dc9482b8d2e15c558d1b860a2bbcb857606a55539b949f785ca6d4c6d895cec5f447a3e3529eaf2834baf498cd04a4659900 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
| MD5 | 9e61b78baee0f8f24961ab6bdffe724e |
| SHA1 | dcd5b56ec5637955f86fd8bcb3556c1768bff2a7 |
| SHA256 | bd1199b7edf4cf63214f5b2f943e352833e1f02afd9714105c08eaefa370b8be |
| SHA512 | 3c3fa7a0c1a4b6862023b5554a769fdab3d62a05361940348392cca66ec3ef9caf178e71802effb2707bddca92ae8d5fa0220e1cc4a7d255151492c5fa978f64 |
memory/1692-15-0x00000000027A0000-0x000000000286E000-memory.dmp
memory/1692-16-0x0000000002870000-0x0000000002A05000-memory.dmp
memory/1692-17-0x0000000000400000-0x0000000000912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grandUIAvJ2GMKmlNUHSb\information.txt
| MD5 | 8bf85f3acb67a9156755a26420adf82f |
| SHA1 | d393699226643ad5b8c36bb56d293bea48169f79 |
| SHA256 | 5c93fdb7bbe6ff425239782b746a5645b10c089d5309ec0eb1c773d9f44a91b4 |
| SHA512 | b8684399480df731bbf0ff0f91e19c7e517b643ed3b8bb2f0d3f2ba29c90e930b7f18da22956e88d58425327c8121ca22aa44a1aaed42f44cc00f24bc8b87946 |
memory/1692-94-0x0000000000400000-0x0000000000912000-memory.dmp
memory/1692-95-0x0000000002870000-0x0000000002A05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
| MD5 | 19201fcbfd5e820ad50bbc6484c1f802 |
| SHA1 | 18f4e598dc323d4e3ba9f96c672d2a677d4a69e5 |
| SHA256 | 354b24cf5c64b9a883cdab84060eaf00219429d89b03501a7bb2d5e77f020d7c |
| SHA512 | 01d0bd06e9755497a63157df3d623321be1d5ed8e722d1cddcf21a4ffa5d0a60f4b23efa0e3cc64b9769cc71c867afbeeaf722c26f5cfe58da0be601d7e9b548 |
memory/2600-99-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3260-100-0x00000000029E0000-0x00000000029F6000-memory.dmp
memory/2600-101-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
| MD5 | d383a48c997dbb50278e96a9b5b81f18 |
| SHA1 | 6b0dc122ad7dd996be4953cca0ea3583b896864f |
| SHA256 | 36c8a870673cfd45cbadf18df7dcdbbe4e991aa5fdf87c243687a1b540e1a6c6 |
| SHA512 | 8a0d689b3317c0ba96bae69152ff4d4dfe59f05a356190e43ce3d4a0bd41ea232ac3d9b452dfaa42181cf7dfc621c07a5dd6413c1d0c14109adeb0c36ad076d3 |
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | 42c6fc078a2c88d7491c8467454de830 |
| SHA1 | 2e9521b65e0512b8e3b8498aedf2a8866d39e297 |
| SHA256 | f586c0b1972af46e20930368d12373d2a8d2f9f1ceaee33471706cf85df3a149 |
| SHA512 | a90900c7301db7556956a93af580f868f28f86977a93f5a367a84825b4675c29f9a9b0ed7663a0deeea7817a8fbf9ec4742243690eb1bec8687b5e861eba7aa0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | c22af1f9baf09a6ac9387e533fdaa44e |
| SHA1 | ff9b9e6ad585170cb01758d0147440ed514a8569 |
| SHA256 | 612abc7d8f0d0e21cb079622e56c3972eeb1d6fd567120e0191d0bc3af74f43f |
| SHA512 | 0e773b14a0cae7abfb1cb899f6b5b6d859e64ab6e185c9a68eac71f59a0d840ca96609aa8f76eb455c33afdc2a155a256bd210ce9a30fb3e3ef54cfb6c44db87 |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\1B72.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\5DDB.exe
| MD5 | f5c25898beefcea6ffd88eb7582e8b8b |
| SHA1 | 91054035d114a25eb7a8ba59c2cf0ac8edcbfb2f |
| SHA256 | 40ee3f532d6bf537c6ce6e24e4774a5cc3bb495fc32f80769797c7a084020059 |
| SHA512 | fe5c1132f91e4e80186990da3ffbf2152aaba5dc7a1af3b9ad9a91f7c94334b7afb27c9bd06616a921aad63b924fd6985d6691732bdc38a38ea5fd291ca4fd8f |
C:\Users\Admin\AppData\Local\Temp\5DDB.exe
| MD5 | 21b6173b478e6ad917df328eeed7c0cb |
| SHA1 | b82fbfc02c7a20e286efc44fbbb2f5f91ba8173a |
| SHA256 | cda0f306ae53f2f7acf7151476df850e6e5738f3c293981e142decbc38aaa3ad |
| SHA512 | f85b14ac235b2fafd836b5da6fabb939db63bd9be26862084096834992674a1fafcf5dadbf6fc049b8cc725c8285e91c8c1970f7ae8c66b549974475e1adf3a1 |
memory/2084-128-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/2084-129-0x0000000000900000-0x0000000001DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6474.exe
| MD5 | acb8dfe2a59269f234646bd97c4923bb |
| SHA1 | 9cad51be78e0100dc2050af40ea29872477660af |
| SHA256 | aafe4b3e2cb65c4de6246c5635a58b007993baf056c78f2f93a65b76206fb30a |
| SHA512 | 356be3d38b8dc48891b95e7ea8525a1eaff94b0a7e9d25f4c32f6faf09866ac04994b01f209869fac01d7cb4f7432cdd6b25fae41f27241189960488f2bf3805 |
C:\Users\Admin\AppData\Local\Temp\6474.exe
| MD5 | f54c9cbe81a3dd969b426136b5b70252 |
| SHA1 | de9e8fb009a276694e689b75c4ba9ed5139eeabb |
| SHA256 | eea37e938fc9ba826cd09b96c8a82599b6d8446b3252efe4e5e38f4bb2595d3c |
| SHA512 | bfe7e9b0d3c4c3c989388f6943f3825a9fe943c4132a14c9712d262fe9456aef725608a5893061f075b2518d195f9e259dc7f26b33ff938f625a4c32fa08cf4f |
memory/1308-134-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/1308-136-0x00000000008D0000-0x0000000000DC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\66B7.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/1308-142-0x0000000005BB0000-0x0000000006154000-memory.dmp
memory/1336-141-0x0000000074AF0000-0x00000000752A0000-memory.dmp