Malware Analysis Report

2025-03-15 05:15

Sample ID 231212-back3sddf2
Target 0bf52ae2496ca04e7f47c2a673ba48ba.exe
SHA256 230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355
Tags
privateloader redline risepro smokeloader zgrat @oleh_ps livetraffic up3 backdoor collection discovery infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

230c51252d44500fb3c6e6481136a1b06730602bf8daf8162c3decc95cff2355

Threat Level: Known bad

The file 0bf52ae2496ca04e7f47c2a673ba48ba.exe was found to be: Known bad.

Malicious Activity Summary

privateloader redline risepro smokeloader zgrat @oleh_ps livetraffic up3 backdoor collection discovery infostealer loader persistence rat spyware stealer trojan

ZGRat

SmokeLoader

RedLine

Detect ZGRat V1

PrivateLoader

RisePro

RedLine payload

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Executes dropped EXE

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks installed software on the system

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Checks processor information in registry

outlook_win_path

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 00:56

Reported

2023-12-12 00:58

Platform

win7-20231023-en

Max time kernel

49s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 2008 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1264 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1264 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 2008 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 1192 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B339.exe
PID 1192 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B339.exe
PID 1192 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B339.exe
PID 1192 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B339.exe
PID 1192 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA86.exe
PID 1192 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA86.exe
PID 1192 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA86.exe
PID 1192 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA86.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\B339.exe

C:\Users\Admin\AppData\Local\Temp\B339.exe

C:\Users\Admin\AppData\Local\Temp\FA86.exe

C:\Users\Admin\AppData\Local\Temp\FA86.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\39B.exe

C:\Users\Admin\AppData\Local\Temp\39B.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\BA7.exe

C:\Users\Admin\AppData\Local\Temp\BA7.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp" /SL5="$40160,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

Network

Country Destination Domain Proto
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

MD5 aa2318d90ab353f9f383450efb1eb172
SHA1 795b0fa578800793b8defdd5c2cf953d89d75ed8
SHA256 8840342b60bef9ef1c10d6d9ebb19cfa196239d2d4c767fdd5e43fc51748e3aa
SHA512 ec012ab6c12a66e5262b3c3225d0dc9482b8d2e15c558d1b860a2bbcb857606a55539b949f785ca6d4c6d895cec5f447a3e3529eaf2834baf498cd04a4659900

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

MD5 2d3aae2d6007fe6a223ab65d7ea692a0
SHA1 5d8a422b0c539a5cf5e46122462cfba93f1775c2
SHA256 8b334f449960303386f42dcd18396ab6b1c1653144eb10b568638c452f77bc98
SHA512 9232bcf6ec8892db10be299e280a1f90e58c282c30741e01331ef40d2d0ba33062ca6b4c1428a4270e2ccae2c63fd1728e9cd83b39a18ce0821c9edd08d3ea3a

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

MD5 9e61b78baee0f8f24961ab6bdffe724e
SHA1 dcd5b56ec5637955f86fd8bcb3556c1768bff2a7
SHA256 bd1199b7edf4cf63214f5b2f943e352833e1f02afd9714105c08eaefa370b8be
SHA512 3c3fa7a0c1a4b6862023b5554a769fdab3d62a05361940348392cca66ec3ef9caf178e71802effb2707bddca92ae8d5fa0220e1cc4a7d255151492c5fa978f64

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

MD5 c9a6db8114e5010f3f627056bf0a13b6
SHA1 93e53b3e064ae315f887ecb9bf52d47ee2e5f2ab
SHA256 0080021c5025a44059facb8d08de070ce21da0907c78327979cae34f0b3f782d
SHA512 a4b727d8c2f92e36a3e3ae0d0c9662b77c1db13abe04278c59f13725386aaa70224538d730d976259c7b3aa3486c6e26af11fcdd07a5d893c1e5aa06b81ab561

memory/2404-23-0x0000000002490000-0x000000000255B000-memory.dmp

memory/2404-24-0x0000000002490000-0x000000000255B000-memory.dmp

memory/2404-25-0x0000000002670000-0x0000000002805000-memory.dmp

memory/2404-26-0x0000000000400000-0x0000000000912000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4F8E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\grandUIAoD3b3fyhKfy42\information.txt

MD5 9359b7020edb0e527a36fb0ddd14af92
SHA1 f86d460b3e8e48ad9df1fe4c4974e284858c9859
SHA256 57b0b041ee50b67b5f461f58fe218968f54209e9f485e5905636dac165068680
SHA512 cf65f22763858682ab1defd3283e1d3f17d0076a6afc2c97ee200cdbb1dbcef92d35b54dce5d5e1e030be259ed74b13a75def8ebf938eb6f52f79f27913be160

memory/2404-123-0x0000000000400000-0x0000000000912000-memory.dmp

memory/2404-124-0x0000000002670000-0x0000000002805000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

MD5 19201fcbfd5e820ad50bbc6484c1f802
SHA1 18f4e598dc323d4e3ba9f96c672d2a677d4a69e5
SHA256 354b24cf5c64b9a883cdab84060eaf00219429d89b03501a7bb2d5e77f020d7c
SHA512 01d0bd06e9755497a63157df3d623321be1d5ed8e722d1cddcf21a4ffa5d0a60f4b23efa0e3cc64b9769cc71c867afbeeaf722c26f5cfe58da0be601d7e9b548

memory/1264-132-0x00000000000F0000-0x00000000000FB000-memory.dmp

memory/1264-133-0x00000000000F0000-0x00000000000FB000-memory.dmp

memory/1340-136-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1340-137-0x0000000000020000-0x000000000002B000-memory.dmp

memory/1192-138-0x0000000002A20000-0x0000000002A36000-memory.dmp

memory/1340-139-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

MD5 d383a48c997dbb50278e96a9b5b81f18
SHA1 6b0dc122ad7dd996be4953cca0ea3583b896864f
SHA256 36c8a870673cfd45cbadf18df7dcdbbe4e991aa5fdf87c243687a1b540e1a6c6
SHA512 8a0d689b3317c0ba96bae69152ff4d4dfe59f05a356190e43ce3d4a0bd41ea232ac3d9b452dfaa42181cf7dfc621c07a5dd6413c1d0c14109adeb0c36ad076d3

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 04ce4714a28ddd4c4e419cec9ccc680b
SHA1 51d99ea9183bb80bacc0fafde1a9d84b9fd1f790
SHA256 20013318e9392eb632d3b2017df8e29657246b58a22f92942af5f7a5ea5325cd
SHA512 bdefd9fb89dca8956fe7be24bf6971882ede31248fe93cd3b715908f2d0e61e70216fb1b16745c41a7a9709a4d0de9d49d87382aacc08fc6f53c4921f6b951b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 406debeb583fdef735a54afca5f6588d
SHA1 8f40a8409c5b4ababf8773d186243468ebade7e4
SHA256 4c6be38a795d27e5e5e5a2576b78e4b8009deefb997b72ab0aa2b6a0e1a10c87
SHA512 a1457f4ee45ee94c1ba1abf78fdf018aae104ae9297a8ba11a86c784d43fbd7db6f9d7dcb11509b9845e083b15c385e091baa9956dc2aebd946f6b037a7cce68

C:\Users\Admin\AppData\Local\Temp\B339.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2132-165-0x0000000000200000-0x000000000023C000-memory.dmp

memory/2132-170-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/2132-171-0x0000000002710000-0x0000000002750000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA86.exe

MD5 dc1060ae69a91f594aab5337d6a12d0d
SHA1 ea70aede766870b6db6555cefb73dbb28e250cc0
SHA256 9ca743a2ddf85a166aff2a7a6794e561b0a7e38bfdaf445e2207a92d437c501d
SHA512 634c5b770952052c1e3345773f4350f2de114ad966d8454166b03af9f3b30795a9e5b9ad3d07d99bebb8e3f86e0d974da7468acab2975a65c855c4779d0dad93

C:\Users\Admin\AppData\Local\Temp\FA86.exe

MD5 ae50a02211eb2cdb7c8fa8d931d0b173
SHA1 273d6fb09590e5f4ee67756d45e158cf04033023
SHA256 6e53b42301dad111084a6da6a20b8bf50f3f9ec1c170fc3c57b402f1a0373c01
SHA512 246d98259fee22aa9f8db4df8a34cdc44abcacb97222f0638e34555f0bc20be19cedab018a94c2a6c52e2d1149afc1c5cb595d0b44635d46112a22c9ce6972f1

memory/1548-178-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/1548-179-0x0000000000C90000-0x0000000002146000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d454d40f3e767308d1acc6ff0aa24c13
SHA1 c2865b6e6a023036fa3d571f011a51ce5654e1bb
SHA256 e75f67e64bd2dcbece728c3ddc583e65b4069f676e5bace86b345cbc2c97a067
SHA512 90d11c812220f3669127eebb9f56e7b98e192258c2effc902f4a6cf809a92ad8bfa024d84272f6c262d0a3dfe827c262e935bbf508c2af154c21972728bf0d0b

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4d2aa827c7e5e2df5624e59ca3ed670f
SHA1 6713a7b2ea62d4881e733f2cb1ce1509241b5a54
SHA256 f89d9eb4adb34a02cebdf76fc3f618a99fcf644f79febf9d1d67b81a96c0d649
SHA512 e3b437f8a0b88079422625f9baabcd7f033112473d07e884cd8d805b6c74ff8a017da4486a4955dede3b6f502fa05fecc41b8e5ed9ac0939dfb41e70e519b1cd

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6633216edc91d0d56c07859c4682d791
SHA1 16b7f37032c6b47a1873ea776ddb31d96ed349fa
SHA256 882476be71cae2c1c6dc3e324247500020195ee4ac07d34c7e2692002ff4210e
SHA512 50be9993dd62369d20f215ea5ecf91e788ac464d01079401d14884506d5d16d8cec286024d71a26ef0a8589b6b7f4c7de71740e1e63f65e52b758ccb0f12e237

memory/1752-212-0x0000000074DD0000-0x00000000754BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d58b7abf32e67ecfad00b9d9f34d7e16
SHA1 b75368c7b1d6ca5c3afbcb513d02ca5324b8df47
SHA256 6f2201a6aac01181e6def09b3c8317e2d138b3b8287ef564109aa19a169b774d
SHA512 db22a922b723d8d7216a124943492151a668dce49432bf5e79b2b60c8c5ed798a461efe14ac958bfebc865c86314d33b92f990c891e76be290f5192f1061aee5

memory/1752-214-0x0000000000F50000-0x0000000001444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 82d5b92c96e783a61ed32622b3e8dd00
SHA1 32547137b21f91ad5da322f8d165ca6d729bd68d
SHA256 a5ef4fc96427e8449b25d9c6258e828dfd1fde36ae3c469cb5b0a3c67316c1f9
SHA512 0c98593bca60ff76d0862fb2eae50a39732123fd46588c81897116022178c6e6cb7625d5ef57ae1976a2b79886a9687df2071509e4e87443d29fb2bce6ed4273

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 85c5c383fe35bf71b0ce4d11fcc39754
SHA1 9938099251a260599dadc4aef6b487cd87054ee2
SHA256 9385da9cd4d034528f34663e1e36e16d5f1c13944ecfcb760da89cd71abb0dd1
SHA512 9512794558b0630d013a6f9de0a1ab28e4b25ae51a1d363821912680c7287a7132c8b6d8d68db827fc6594373943ed70299aecd7d4ce172a0ede0a62a7d7e7e7

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 dd56678c28ac3fb23c087684efc3122c
SHA1 9a0585b9508c5ce1ac55435750a63e9438aae9a4
SHA256 fc9621e1387dcb21ae6e025b59c67975f8d1cb534b5b53e0857ad0a1ee61f1fc
SHA512 24c7002953c834ac9cc08fdf5ceef643404212bf1d81c087a1004cc97053f810bc1eef7e352f124336f14c0068716f46649c27c77ad9660a264b564283877dfc

C:\Users\Admin\AppData\Local\Temp\39B.exe

MD5 00faa9bfe982e0083b0e879109f2658a
SHA1 72fd026b87deb0ae39d8a56bd2a5bf41a100d2ad
SHA256 d96f8eb876e043adfc83eef9bdb303179bf4fdd8a5e1028e20824acc4652a96f
SHA512 845b11dfadfab74fc468f52f153fe4be65c53e5d8ad435ced2a2bc8e20f5dc6ee53171cbb7942c4de7a7f2d74d19d4f05b4ce87e2e7a1fba07b8e4693abb9c87

C:\Users\Admin\AppData\Local\Temp\39B.exe

MD5 ef7c18462f31461780fc8ca8048229a9
SHA1 0fe49b944a9050d6f2b0a9d218a9eb9407727e59
SHA256 7f933c3ffc5ef0c505d1567907c792b03f932cb0b4c81f31f863291e9a9524ea
SHA512 baeaaa654df528537608f17118cc85d191e8cd4581f0da52d10b38142f11153caa45b73e40e3a467e14ba4cfb875659f592209b9cdb00d3d2b9c9eeb3a40ded0

memory/1752-215-0x0000000005080000-0x00000000050C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 7d140a16ef6bb341ef59f9cfb3fcf10b
SHA1 1f1b74c79ccc466006d90e7cb587987649aea99d
SHA256 757509b9709455672c2d94c8c1bfe5f4ce3ba0e8364145234741b6ab6dda8f32
SHA512 762aca2023643a957a58c43ad6cf007742c2caefda031709f7c5cace05326bee264156e5817ba7b8f1070eda4e14c86bc8a8ae37e6a50c1915d9e5f4c24be5e9

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 58db05baf92894654db3a97b59f3529a
SHA1 60104ac7339ab95abddc3371caf1a110aac25758
SHA256 391aeb4db731e53a8d23f0a9bc6a7fbc1e04a1bf8714e5044116f5b71119c2cc
SHA512 deeb617240136fd20bb08d3f4521fb7035d85c37007aac0076e0355d42a77739bd44751917655e47c88e2e156f441d2afd3432828e13168191c5bffdcd5f64cc

memory/1680-225-0x0000000000FE0000-0x000000000101C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA7.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2168-229-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1680-228-0x0000000007180000-0x00000000071C0000-memory.dmp

memory/1680-227-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/3048-230-0x00000000024C0000-0x00000000028B8000-memory.dmp

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 3bd13c4ddc6c3dde63a235c7011d91f7
SHA1 92de8deee97ca2bf904be6caf7419d92526654c3
SHA256 acb3e458fff01962fa075a476752f6f623ced08829c51db11aba5a0a539139c9
SHA512 3f02dde861351d9e602398472253bb7dad92a3e15e1b1e118821f5fa2448e59e2c632a890ec69dbca41267388574201693e1f72ca6529ca0e832a59db1816b47

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 0784c8f3a0b3797bbcb087a519de6d9b
SHA1 3063f6182155d3592fcc8b3ee4bc3930a4f4a510
SHA256 658af9ab7d34d9c3e6f897acdfac6be9b893f7ede559d391400d8516033aabff
SHA512 d4c9afaa7db59e98997cd185a031633fd6ed9d4a52fb0e5d0ee588b8c77ec5cb53affb40ebd786e976748c1d7d7bc1f7141f8177e1c7b69b86920a7b25802a40

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 599cbe2b178944b485a3afdbf920ba69
SHA1 75c8b79e5ebe03e16410bd7aac127056463a65fb
SHA256 f77d669895fc43727e31bed38f5c539b39b44a28a9eaeef5eb9afbe21e1f5512
SHA512 6892115c68b2c173aac1ccc47c42f87ed70012edcd79f2b055cbbde897f0e1392553a90cebfc842f39f05e2b79cb3cc33ff20e01a9b9e985dd4df87c19a67a25

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 d22367617a156ca31417a6a3cc7c00ef
SHA1 35d391f668e6af3a0b584bd931d9992757bd3b73
SHA256 f68c5480a6fc1b0f839705d8de14048febcb3ddf2e78bb054cdb3667a500ad4d
SHA512 977ac54731ef96b64cc19cab43b0389d51cd5bc0ec0cd4b1787e4b55817bacdd5da4e24fff906d85160d97f55040002bac09c42b2d6f6bc37bf4d1f5fcfe4a72

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4998c0dc03efefbfd67b128d58afe3bb
SHA1 4a347afcc7976caa4ea8ea36ab3cc7b8333b2795
SHA256 c5ff10956d0a65a5ab442975ae03ac4e36aaac9e3d84337462397c0002e42915
SHA512 c055905b74a96972b469bade3a8bfe7ac6371d9d1cc8e9740571c4d696fb24365473c1ff1abb12acca6f04c747764c1a947f70bc3c1d675b69671e289748953d

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bccc653191ebc89a9f41eb2f0387fcc4
SHA1 a35323c982545b3b202fbf364890bcddc18a604c
SHA256 a061ac058f0fa777e1193248031a6eba6351452a368d7269c5abfd6d49cf613f
SHA512 0f6918ccb5ba596456fe16f0ae77a39fe54a02e4e1e436aa090f6564321013f2b711a0811c30244c657756d7d4b16a22b03879ff71a2f8946f10cde8f629777d

memory/2668-253-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 352f20902c20e94f91beb90811de3007
SHA1 bd940ed46406cf5a63ec270c1a27b82f6864dc1f
SHA256 5f70cdc0a882be903c6a07251ad13a3c4b228c41457b6056428a38c68b652cee
SHA512 d5f5a208df231eba5bf2b29870af745d28589619d3800b39364bbe43f95b81f7cdaa411b94f56da0b6a0ccebbf3cfea32a65bd264b77167fa79327c88962017c

\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp

MD5 ee6dc075a36ac331227faa53a152d9bf
SHA1 832fc3a38fa725c9666e3ddeb093e69d7e4bf279
SHA256 16422b7f2b84f652b342b093fafcce2ca3b00594748baf938942949b1b1e91c7
SHA512 016f833ed8cab38c094709edaf35cf39c67212c084c79959f42ce1e9ae4cd3a1cf891c1356e941b9803bba9549b1659552451d87f93296838969a7ef7bb3a4e9

memory/636-252-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/1548-250-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/2132-249-0x0000000074DD0000-0x00000000754BE000-memory.dmp

memory/2668-248-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 2f840e836a3b3982abc18902115118ba
SHA1 9ec1db981fd655d3b33e9108e9154e8e5ed5063d
SHA256 fb00854a00eb85b6d7cdeed6010a9008a5c7ed0d831f722efb806a3daf9afdd5
SHA512 bf9e5267e8ffbfe4376a768cfc59a5aa9e78bedf81f0afae93c4d6dfb1658ddebe7de8603d0f320b8b2286cf71c79dc4d9490ec608a05de2556b776d3ecf4734

memory/636-238-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2924-236-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2132-259-0x0000000002710000-0x0000000002750000-memory.dmp

memory/2668-274-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-N0UQ5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-N0UQ5.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-N0UQ5.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp

MD5 bb36d45940b1a72d764c55fa888cd08d
SHA1 ecb002845b743154f99cb108e22607eb8174f0c9
SHA256 fb3e1d7cf7df81453aa65556019ba08b9806504a78262e13d3c4dc9959acd6dc
SHA512 e0a3d2b1fb8cefebacb94eb2e1de2a90cecebb4a8a3282a31a36fa6ab215bf745fb4cffd317f5e5b8be8219a680200ee4c74d313652ec061921afe627215d928

C:\Users\Admin\AppData\Local\Temp\is-MVDQ0.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/2088-275-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3048-280-0x00000000028C0000-0x00000000031AB000-memory.dmp

memory/3048-287-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3048-288-0x00000000024C0000-0x00000000028B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 00:56

Reported

2023-12-12 00:58

Platform

win10v2004-20231127-en

Max time kernel

52s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 4012 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 4012 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe
PID 1832 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1832 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1832 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe
PID 1692 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe C:\Windows\SysWOW64\schtasks.exe
PID 1832 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1832 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 1832 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe
PID 4012 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 4012 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 4012 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe
PID 3260 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B72.exe
PID 3260 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B72.exe
PID 3260 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B72.exe
PID 3260 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DDB.exe
PID 3260 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DDB.exe
PID 3260 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\5DDB.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe

"C:\Users\Admin\AppData\Local\Temp\0bf52ae2496ca04e7f47c2a673ba48ba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1692 -ip 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

C:\Users\Admin\AppData\Local\Temp\1B72.exe

C:\Users\Admin\AppData\Local\Temp\1B72.exe

C:\Users\Admin\AppData\Local\Temp\5DDB.exe

C:\Users\Admin\AppData\Local\Temp\5DDB.exe

C:\Users\Admin\AppData\Local\Temp\6474.exe

C:\Users\Admin\AppData\Local\Temp\6474.exe

C:\Users\Admin\AppData\Local\Temp\66B7.exe

C:\Users\Admin\AppData\Local\Temp\66B7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZ2ZU18.exe

MD5 aa2318d90ab353f9f383450efb1eb172
SHA1 795b0fa578800793b8defdd5c2cf953d89d75ed8
SHA256 8840342b60bef9ef1c10d6d9ebb19cfa196239d2d4c767fdd5e43fc51748e3aa
SHA512 ec012ab6c12a66e5262b3c3225d0dc9482b8d2e15c558d1b860a2bbcb857606a55539b949f785ca6d4c6d895cec5f447a3e3529eaf2834baf498cd04a4659900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EP64oO1.exe

MD5 9e61b78baee0f8f24961ab6bdffe724e
SHA1 dcd5b56ec5637955f86fd8bcb3556c1768bff2a7
SHA256 bd1199b7edf4cf63214f5b2f943e352833e1f02afd9714105c08eaefa370b8be
SHA512 3c3fa7a0c1a4b6862023b5554a769fdab3d62a05361940348392cca66ec3ef9caf178e71802effb2707bddca92ae8d5fa0220e1cc4a7d255151492c5fa978f64

memory/1692-15-0x00000000027A0000-0x000000000286E000-memory.dmp

memory/1692-16-0x0000000002870000-0x0000000002A05000-memory.dmp

memory/1692-17-0x0000000000400000-0x0000000000912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAvJ2GMKmlNUHSb\information.txt

MD5 8bf85f3acb67a9156755a26420adf82f
SHA1 d393699226643ad5b8c36bb56d293bea48169f79
SHA256 5c93fdb7bbe6ff425239782b746a5645b10c089d5309ec0eb1c773d9f44a91b4
SHA512 b8684399480df731bbf0ff0f91e19c7e517b643ed3b8bb2f0d3f2ba29c90e930b7f18da22956e88d58425327c8121ca22aa44a1aaed42f44cc00f24bc8b87946

memory/1692-94-0x0000000000400000-0x0000000000912000-memory.dmp

memory/1692-95-0x0000000002870000-0x0000000002A05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Am51am.exe

MD5 19201fcbfd5e820ad50bbc6484c1f802
SHA1 18f4e598dc323d4e3ba9f96c672d2a677d4a69e5
SHA256 354b24cf5c64b9a883cdab84060eaf00219429d89b03501a7bb2d5e77f020d7c
SHA512 01d0bd06e9755497a63157df3d623321be1d5ed8e722d1cddcf21a4ffa5d0a60f4b23efa0e3cc64b9769cc71c867afbeeaf722c26f5cfe58da0be601d7e9b548

memory/2600-99-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3260-100-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/2600-101-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4bb279Ym.exe

MD5 d383a48c997dbb50278e96a9b5b81f18
SHA1 6b0dc122ad7dd996be4953cca0ea3583b896864f
SHA256 36c8a870673cfd45cbadf18df7dcdbbe4e991aa5fdf87c243687a1b540e1a6c6
SHA512 8a0d689b3317c0ba96bae69152ff4d4dfe59f05a356190e43ce3d4a0bd41ea232ac3d9b452dfaa42181cf7dfc621c07a5dd6413c1d0c14109adeb0c36ad076d3

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 42c6fc078a2c88d7491c8467454de830
SHA1 2e9521b65e0512b8e3b8498aedf2a8866d39e297
SHA256 f586c0b1972af46e20930368d12373d2a8d2f9f1ceaee33471706cf85df3a149
SHA512 a90900c7301db7556956a93af580f868f28f86977a93f5a367a84825b4675c29f9a9b0ed7663a0deeea7817a8fbf9ec4742243690eb1bec8687b5e861eba7aa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 c22af1f9baf09a6ac9387e533fdaa44e
SHA1 ff9b9e6ad585170cb01758d0147440ed514a8569
SHA256 612abc7d8f0d0e21cb079622e56c3972eeb1d6fd567120e0191d0bc3af74f43f
SHA512 0e773b14a0cae7abfb1cb899f6b5b6d859e64ab6e185c9a68eac71f59a0d840ca96609aa8f76eb455c33afdc2a155a256bd210ce9a30fb3e3ef54cfb6c44db87

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1B72.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\5DDB.exe

MD5 f5c25898beefcea6ffd88eb7582e8b8b
SHA1 91054035d114a25eb7a8ba59c2cf0ac8edcbfb2f
SHA256 40ee3f532d6bf537c6ce6e24e4774a5cc3bb495fc32f80769797c7a084020059
SHA512 fe5c1132f91e4e80186990da3ffbf2152aaba5dc7a1af3b9ad9a91f7c94334b7afb27c9bd06616a921aad63b924fd6985d6691732bdc38a38ea5fd291ca4fd8f

C:\Users\Admin\AppData\Local\Temp\5DDB.exe

MD5 21b6173b478e6ad917df328eeed7c0cb
SHA1 b82fbfc02c7a20e286efc44fbbb2f5f91ba8173a
SHA256 cda0f306ae53f2f7acf7151476df850e6e5738f3c293981e142decbc38aaa3ad
SHA512 f85b14ac235b2fafd836b5da6fabb939db63bd9be26862084096834992674a1fafcf5dadbf6fc049b8cc725c8285e91c8c1970f7ae8c66b549974475e1adf3a1

memory/2084-128-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/2084-129-0x0000000000900000-0x0000000001DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6474.exe

MD5 acb8dfe2a59269f234646bd97c4923bb
SHA1 9cad51be78e0100dc2050af40ea29872477660af
SHA256 aafe4b3e2cb65c4de6246c5635a58b007993baf056c78f2f93a65b76206fb30a
SHA512 356be3d38b8dc48891b95e7ea8525a1eaff94b0a7e9d25f4c32f6faf09866ac04994b01f209869fac01d7cb4f7432cdd6b25fae41f27241189960488f2bf3805

C:\Users\Admin\AppData\Local\Temp\6474.exe

MD5 f54c9cbe81a3dd969b426136b5b70252
SHA1 de9e8fb009a276694e689b75c4ba9ed5139eeabb
SHA256 eea37e938fc9ba826cd09b96c8a82599b6d8446b3252efe4e5e38f4bb2595d3c
SHA512 bfe7e9b0d3c4c3c989388f6943f3825a9fe943c4132a14c9712d262fe9456aef725608a5893061f075b2518d195f9e259dc7f26b33ff938f625a4c32fa08cf4f

memory/1308-134-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/1308-136-0x00000000008D0000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\66B7.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1308-142-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/1336-141-0x0000000074AF0000-0x00000000752A0000-memory.dmp