Malware Analysis Report

2025-03-15 06:28

Sample ID 240204-mnnq2sfdb8
Target ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe
SHA256 90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f
Tags
warzonerat infostealer rat collection
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90b0e81cae870478e28e0902f8011e63315394fab478fb790827d95d1c34ba6f

Threat Level: Known bad

The file ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat collection

WarzoneRat, AveMaria

Warzone RAT payload

Loads dropped DLL

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

outlook_office_path

outlook_win_path

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 10:36

Reported

2024-02-04 10:39

Platform

win7-20231215-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2200 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2200 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2632 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2632 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2632 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2632 wrote to memory of 2776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LBvJnfZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LBvJnfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 200

Network

N/A

Files

memory/2200-1-0x0000000074090000-0x000000007477E000-memory.dmp

memory/2200-0-0x0000000000A80000-0x0000000000B70000-memory.dmp

memory/2200-2-0x00000000073B0000-0x00000000073F0000-memory.dmp

memory/2200-3-0x0000000000770000-0x000000000078C000-memory.dmp

memory/2200-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

memory/2200-5-0x0000000000930000-0x0000000000944000-memory.dmp

memory/2200-6-0x0000000004800000-0x000000000486E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBE7F.tmp

MD5 3d8f2719af1f502b71946fa07fff7029
SHA1 d9e5b75905f56147f1dcfcaa9a1520cd56dbdc7d
SHA256 73e0c70f2f8650477c248302a886620aac08c1251e642d939518a9c3d756da7f
SHA512 536883ab4445bcbc147371a018949a56b53fd2cd86f02aa794bd532b0466a45f282f999a6fbebc20d572113a1be583d120909c9afa2439294fb566e2597be72d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XBJCM65WNKTPM0HAG4WC.temp

MD5 5ad59e5e80f1a921f1eb26739bdcb129
SHA1 88ac8ad9e872c2d3c90d7a042da7cc6a64429452
SHA256 c36de0304d3958c76b940a6408e3ea3ddd1cc6a5110365a68b3ae231b24c2ef0
SHA512 9bedfb60c13fb112b8eb6254ead2d68378f8eb811cfc8d833d6ded1293ee82c855bd4bc86ff17f7471e8d219b5ff797d04c6ea4aa1438ac3c091ae26f8207014

memory/2200-19-0x0000000074090000-0x000000007477E000-memory.dmp

memory/2632-20-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2820-21-0x000000006DBB0000-0x000000006E15B000-memory.dmp

memory/2424-23-0x000000006DBB0000-0x000000006E15B000-memory.dmp

memory/2632-24-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2820-27-0x000000006DBB0000-0x000000006E15B000-memory.dmp

memory/2632-29-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2424-30-0x000000006DBB0000-0x000000006E15B000-memory.dmp

memory/2632-26-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2632-33-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2632-35-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2632-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2200-36-0x00000000073B0000-0x00000000073F0000-memory.dmp

memory/2424-34-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2424-32-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2820-25-0x0000000002690000-0x00000000026D0000-memory.dmp

memory/2632-39-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2200-41-0x0000000074090000-0x000000007477E000-memory.dmp

memory/2632-42-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2424-44-0x000000006DBB0000-0x000000006E15B000-memory.dmp

memory/2820-43-0x000000006DBB0000-0x000000006E15B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 10:36

Reported

2024-02-04 10:39

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3604 set thread context of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 3604 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 3604 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\SysWOW64\schtasks.exe
PID 3604 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3604 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe

"C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ITEMS SPECIFICATIONS - UNITED ARABIAN COMPANY UAE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LBvJnfZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LBvJnfZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E9A.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 45.137.22.105:4821 tcp
US 8.8.8.8:53 105.22.137.45.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3604-1-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3604-0-0x00000000005E0000-0x00000000006D0000-memory.dmp

memory/3604-2-0x0000000007AE0000-0x0000000008084000-memory.dmp

memory/3604-3-0x00000000075D0000-0x0000000007662000-memory.dmp

memory/3604-4-0x0000000007750000-0x0000000007760000-memory.dmp

memory/3604-5-0x00000000075A0000-0x00000000075AA000-memory.dmp

memory/3604-6-0x00000000078B0000-0x000000000794C000-memory.dmp

memory/3604-7-0x0000000002B00000-0x0000000002B1C000-memory.dmp

memory/3604-8-0x0000000002B60000-0x0000000002B6E000-memory.dmp

memory/3604-9-0x0000000002B70000-0x0000000002B84000-memory.dmp

memory/3604-10-0x0000000008FD0000-0x000000000903E000-memory.dmp

memory/1352-15-0x0000000004960000-0x0000000004996000-memory.dmp

memory/3604-16-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1352-18-0x0000000005190000-0x00000000057B8000-memory.dmp

memory/1352-17-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1352-19-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3760-20-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/1352-21-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3604-22-0x0000000007750000-0x0000000007760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3E9A.tmp

MD5 f7b87a3d7efae43a073393a34522542f
SHA1 b29a98c355378061c7edd74e9a66217ff2c60d9a
SHA256 be6ab24bbb022eea9c6c6297bf4203d9892abdb3c20549e8b296cd9571da8e07
SHA512 547f97cc7e017409767af0e4cda2331fac4ff4d8e6bac4ba206b7972df90ae490c5dce5cce396bee47607c1f95e93b30eaed46ca4949770e7d896b8bf5665d1c

memory/3760-24-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1352-26-0x00000000050C0000-0x0000000005126000-memory.dmp

memory/3760-25-0x0000000004E90000-0x0000000004EB2000-memory.dmp

memory/3760-27-0x0000000005820000-0x0000000005886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cfuq3xmj.vje.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/976-38-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3760-50-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/976-49-0x0000000000400000-0x000000000055E000-memory.dmp

memory/976-51-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3604-52-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/1352-53-0x0000000004C80000-0x0000000004C9E000-memory.dmp

memory/3760-54-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

memory/976-55-0x0000000000400000-0x000000000055E000-memory.dmp

memory/3760-57-0x0000000004A40000-0x0000000004A50000-memory.dmp

memory/1352-56-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3760-59-0x0000000006440000-0x0000000006472000-memory.dmp

memory/1352-60-0x00000000756B0000-0x00000000756FC000-memory.dmp

memory/3760-58-0x000000007F6A0000-0x000000007F6B0000-memory.dmp

memory/3760-71-0x00000000756B0000-0x00000000756FC000-memory.dmp

memory/1352-70-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/1352-81-0x0000000007170000-0x0000000007213000-memory.dmp

memory/1352-82-0x00000000078A0000-0x0000000007F1A000-memory.dmp

memory/3760-83-0x0000000007170000-0x000000000718A000-memory.dmp

memory/3760-84-0x00000000071E0000-0x00000000071EA000-memory.dmp

memory/1352-85-0x00000000074B0000-0x0000000007546000-memory.dmp

memory/1352-86-0x0000000007430000-0x0000000007441000-memory.dmp

memory/3760-87-0x00000000073A0000-0x00000000073AE000-memory.dmp

memory/1352-88-0x0000000007470000-0x0000000007484000-memory.dmp

memory/1352-90-0x0000000007550000-0x0000000007558000-memory.dmp

memory/1352-89-0x0000000007570000-0x000000000758A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a3f86c3f2caa3b7dc6753e48bf88ab7e
SHA1 5c81604ed630a998900f6b98becf4171ae2c2615
SHA256 de3abd29e75d5918d0697368396bed6c1ba95c8dad5c77eea1238d4b828dfc92
SHA512 ea5538919a52ba21dc8cd293a59a978e1431f039ba4b73ddbc0d526cd2294443753095c4d346e8dd0d6981e927f233229b0f94b60d83db2f02215190f5d17d82

memory/1352-96-0x0000000074E20000-0x00000000755D0000-memory.dmp

memory/3760-97-0x0000000074E20000-0x00000000755D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/976-104-0x0000000003D30000-0x0000000003DB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\mozglue.dll

MD5 75f8cc548cabf0cc800c25047e4d3124
SHA1 602676768f9faecd35b48c38a0632781dfbde10c
SHA256 fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512 ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

C:\Users\Admin\AppData\Local\Temp\softokn3.dll

MD5 40991fdad54d91a0db42a9489df40185
SHA1 9cb370b0544cc5a3014fe322d648aa584e1a2256
SHA256 f0838cd1013a051a9d22487e1c19d03a2be8a9fb51f659bd51eb02b9a472760d
SHA512 1f0953e22f47d2ce00dd74c9d314376a1a54546c2476e6fc12957d713f911d4c39c2ddc1e2eab2174edc8913b691b091742bf45ae0c0ddeba4300ffccb469f33

C:\Users\Admin\AppData\Local\Temp\freebl3.dll

MD5 e04a26661513ebeedb92a1248d4e156d
SHA1 d1a9d8f7c117b44b543206063c17da3ac1bf2ea0
SHA256 7c960574a3053d88ad175ad23c01d918e7cf6f5297ead73d62af723903b30eab
SHA512 26862358fe5c0889bc29108cab7e0b8baf53cf97d2991aabbf89f61b53fa4a59d4e8f6e514dc0dfa5e3cb83bc5c1cf0b35ad8f08230cc47bb593e135cdfb56b1

C:\Users\Admin\AppData\Local\Temp\nss3.dll

MD5 11b45127f9493e14586ef5e5d31ef01d
SHA1 0e32f3bd94ec0197b153d02721224b065ae53fb3
SHA256 465d6c2a74739cbc21bd94513c374d7fb45dec971d113a4d63518c04c483a577
SHA512 67106157ac1a623065895b1b1c71bf47b598c9a8efc174ef4e6bf121ff3c4fc56a0114efd47e0b27fa6194c033dbf0b232bfc334e6445d451db8eba81a937e04

C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

memory/976-125-0x0000000000400000-0x000000000055E000-memory.dmp

memory/976-126-0x0000000003D30000-0x0000000003DB4000-memory.dmp