Malware Analysis Report

2025-03-15 06:28

Sample ID 240204-mmt7fafcg4
Target ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe
SHA256 90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
Tags
warzonerat infostealer rat collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f

Threat Level: Known bad

The file ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat collection

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_win_path

Creates scheduled task(s)

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 10:35

Reported

2024-02-04 10:37

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2372 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2372 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2716 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2716 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LBvJnfZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LBvJnfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4846.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 200

Network

N/A

Files

memory/2372-1-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2372-0-0x0000000000A10000-0x0000000000B00000-memory.dmp

memory/2372-2-0x0000000007290000-0x00000000072D0000-memory.dmp

memory/2372-3-0x0000000000370000-0x000000000038C000-memory.dmp

memory/2372-4-0x00000000003A0000-0x00000000003AE000-memory.dmp

memory/2372-5-0x00000000004A0000-0x00000000004B4000-memory.dmp

memory/2372-6-0x0000000007880000-0x00000000078EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4846.tmp

MD5 d45b66d70fa31b2fd17e3b8a6a71e0ae
SHA1 543c77a91f6d80ed1115eeeca481773f5eeb5fa3
SHA256 08de119ee59b4ceef81472dcd744548db4fd86e148180cd6dabe4040fb80340b
SHA512 808655e80c6711d1c600e395a45c91f1a6f2e11d0998c299d578fbc32377faadb8b46f6f73d777547ffdbeee1e60739cbf226d42e18abd70bb2d3696dbb42092

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c5d1171b5c5ebac7a95dec679f6c4175
SHA1 57950f0630926eedff73b3ef3c5d05177d9fecaf
SHA256 1f93058490d5de2ea8ba634a976fcb8a3e07c3264b730470c83730e8376c45d2
SHA512 52fc33bdd48bd4122f835bb6d70bb8b71f2fbdd44492922d431483d9f19f73d0d7fdddee7de2eb490903afd77f437cf01bfc159b690d219a1fdf71094060354f

memory/2540-19-0x000000006FAB0000-0x000000007005B000-memory.dmp

memory/2652-21-0x000000006FAB0000-0x000000007005B000-memory.dmp

memory/2716-20-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2716-22-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2540-23-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2652-25-0x000000006FAB0000-0x000000007005B000-memory.dmp

memory/2540-27-0x000000006FAB0000-0x000000007005B000-memory.dmp

memory/2540-29-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2540-31-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/2372-33-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2716-32-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-35-0x00000000028F0000-0x0000000002930000-memory.dmp

memory/2716-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2716-28-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2716-26-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2716-24-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2716-38-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2372-40-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2716-41-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2652-43-0x000000006FAB0000-0x000000007005B000-memory.dmp

memory/2540-42-0x000000006FAB0000-0x000000007005B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 10:35

Reported

2024-02-04 10:37

Platform

win10v2004-20231215-en

Max time kernel

91s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3468 set thread context of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 3468 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3468 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LBvJnfZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LBvJnfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp978D.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 45.137.22.105:4821 tcp
US 8.8.8.8:53 105.22.137.45.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3468-1-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3468-0-0x0000000000D00000-0x0000000000DF0000-memory.dmp

memory/3468-2-0x0000000008150000-0x00000000086F4000-memory.dmp

memory/3468-3-0x0000000007CA0000-0x0000000007D32000-memory.dmp

memory/3468-4-0x0000000007C60000-0x0000000007C70000-memory.dmp

memory/3468-6-0x0000000007F80000-0x000000000801C000-memory.dmp

memory/3468-5-0x0000000007E60000-0x0000000007E6A000-memory.dmp

memory/3468-7-0x00000000051C0000-0x00000000051DC000-memory.dmp

memory/3468-8-0x0000000005220000-0x000000000522E000-memory.dmp

memory/3468-9-0x0000000005230000-0x0000000005244000-memory.dmp

memory/3468-10-0x0000000009620000-0x000000000968E000-memory.dmp

memory/1876-16-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/1876-15-0x0000000002F40000-0x0000000002F76000-memory.dmp

memory/3468-17-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/1876-18-0x0000000005B80000-0x00000000061A8000-memory.dmp

memory/1876-23-0x0000000005540000-0x0000000005550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp978D.tmp

MD5 dba58b1b67ec2fb65e6c38b93ec058e7
SHA1 d8c25bea2f0ad9a402a22ca212fbe9d239170baf
SHA256 54b6cd14d379db5fb8e0c1d6810bf942e6bfe37d257ab8f3021e76e0bb10f44e
SHA512 511fb168152330e5415bf04c6817794efbe0347be5910269d7b4dc0a67d08ff141fb80fbf8d473068ff5ef9d6bd00308fd4c893c8cf8e30a88da553e718e74a4

memory/1876-22-0x0000000005540000-0x0000000005550000-memory.dmp

memory/3004-21-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/1876-25-0x00000000058B0000-0x00000000058D2000-memory.dmp

memory/3004-20-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/1876-26-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/3004-27-0x0000000005910000-0x0000000005976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ziwwg3oq.qu1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/884-47-0x0000000000400000-0x000000000055E000-memory.dmp

memory/884-50-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3468-51-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3004-37-0x0000000005980000-0x0000000005CD4000-memory.dmp

memory/884-52-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3004-19-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3004-53-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

memory/3004-54-0x0000000006060000-0x00000000060AC000-memory.dmp

memory/1876-58-0x0000000071080000-0x00000000710CC000-memory.dmp

memory/1876-57-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

memory/3004-59-0x0000000071080000-0x00000000710CC000-memory.dmp

memory/3004-56-0x0000000006580000-0x00000000065B2000-memory.dmp

memory/3004-55-0x000000007F990000-0x000000007F9A0000-memory.dmp

memory/1876-81-0x0000000005540000-0x0000000005550000-memory.dmp

memory/3004-80-0x0000000006FA0000-0x0000000007043000-memory.dmp

memory/3004-79-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/1876-69-0x0000000006E10000-0x0000000006E2E000-memory.dmp

memory/3004-83-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/1876-82-0x00000000081D0000-0x000000000884A000-memory.dmp

memory/3004-84-0x0000000007350000-0x000000000735A000-memory.dmp

memory/1876-85-0x0000000007E10000-0x0000000007EA6000-memory.dmp

memory/3004-86-0x00000000074E0000-0x00000000074F1000-memory.dmp

memory/1876-87-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/1876-88-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

memory/3004-90-0x0000000007600000-0x0000000007608000-memory.dmp

memory/3004-89-0x0000000007620000-0x000000000763A000-memory.dmp

memory/1876-96-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3004-97-0x00000000748C0000-0x0000000075070000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b62db2c62e2ec575b2b4930331abd598
SHA1 4ee93b75b7564c17c3b50a56920ebd94edf225f0
SHA256 d66d9ac7119a33c0f1daeed4b6a5d738277a5ac5f2f9bae521b17977159fae05
SHA512 d2382e6133137e09ac5daa8a4cee035b474b32ff70079dfd41ed72fa7011446c985147dff49c83c15fab5f3a8517d0bff2e52854e9706e1a7e43a84734037466

memory/884-98-0x0000000000400000-0x000000000055E000-memory.dmp

memory/884-105-0x0000000004070000-0x00000000040F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 e9fbf0ddde942dd5eb42233234df26ec
SHA1 3e5e101d1eeb5eb5e3da4ef7771143a6c8082392
SHA256 22f3f14623ca2cfe83d7132daed54b80bed1002948df2329fb3dd719e0ad6053
SHA512 d1ad8e5e420f0b0c0cabd8cc9a080b053a5e1faa17f12d4d0fb6af3e9824097a0de77a33ac91f2d570e91a4183f69e0f41e4fd8b5c50a04a03b6002caf80cf84

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 471c983513694ac3002590345f2be0da
SHA1 6612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256 bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512 a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 f878ca190e4f9fc95b9e0f4e4f9c0f9b
SHA1 ff5d3c7f7278f0c6e65f4bba41b241af8a27edb7
SHA256 b370cead48ad52f0df0296fb57aef0a5779a1b97615297672a9fd2604984c310
SHA512 ae6985c8c7b9c7e78afe786d50f151b1934ef6a9ad0ef7d26e3e4b574e9b5281c3396e6bc93eb185af01a3688eb11253607a37c4b16743baf410f4772e54f8b7

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 0c42f8245b5923220b8db436fd613177
SHA1 d65f73314670f55a8ea8ebe7c54b58361c850717
SHA256 b101bda4d7ee150f3887e7085a4275ec68d814a1911f61fbbf043904f609f0fd
SHA512 2a73db5c68d18d7384ea60a108e0e974f18567ba4a48bfc72f8aa6eda386e5279605e7b3b6aeb4753e4f274577140df69f50f0e7cc985357dadc4978b6865d0c

memory/884-126-0x0000000000400000-0x000000000055E000-memory.dmp

memory/884-127-0x0000000004070000-0x00000000040F4000-memory.dmp