Malware Analysis Report

2024-12-01 03:05

Sample ID 241108-h1pfwsybqr
Target 2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N
SHA256 2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552
Tags
collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552

Threat Level: Shows suspicious behavior

The file 2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Control Panel

Suspicious use of UnmapMainImage

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 07:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 07:12

Reported

2024-11-08 07:14

Platform

win7-20240729-en

Max time kernel

105s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ntcms.exe N/A
N/A N/A C:\Windows\SysWOW64\rasui.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\rasui.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\rasui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\srvlib.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\rasui.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\rasui.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Contacts C:\Windows\SysWOW64\rasui.exe N/A
File opened for modification C:\Windows\SysWOW64\ntcms.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\msenv.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\msenv.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\srvlib.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rasui.exe N/A
File opened for modification C:\Windows\SysWOW64\objip.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\objip.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\ntcms.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Contacts\desktop.ini C:\Windows\SysWOW64\rasui.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rasui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveBackup C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\srvlib.scr" C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveUtility = "C:\\Windows\\SysWOW64\\msenv.scr" C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60" C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 C:\Windows\SysWOW64\rasui.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rasui.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rasui.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rasui.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\SysWOW64\rasui.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedPropCount = "1" C:\Windows\SysWOW64\rasui.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rasui.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rasui.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rasui.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB C:\Windows\SysWOW64\rasui.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000 C:\Windows\SysWOW64\rasui.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\rasui.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rasui.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedPropCount = "2" C:\Windows\SysWOW64\rasui.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004607000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 C:\Windows\SysWOW64\rasui.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rasui.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0" C:\Windows\SysWOW64\rasui.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004608000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000000012800e0000000100330032003800300032000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 C:\Windows\SysWOW64\rasui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\rasui.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Windows\SysWOW64\rasui.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe

"C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe"

C:\Windows\SysWOW64\ntcms.exe

C:\Windows\SysWOW64\ntcms.exe /combine local system

C:\Windows\system32\taskeng.exe

taskeng.exe {94BA1BA8-1E69-450F-B757-6D07A4C32703} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\SysWOW64\rasui.exe

C:\Windows\SysWOW64\rasui.exe nay

Network

Country Destination Domain Proto
US 199.231.188.109:21 tcp
US 199.231.188.109:21 tcp
US 199.231.188.109:21 tcp

Files

memory/2328-0-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2328-1-0x0000000001EF0000-0x0000000001F38000-memory.dmp

memory/2328-2-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2328-3-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Windows\SysWOW64\ntcms.exe

MD5 463707993d1b58318cb90ab09a75d7bf
SHA1 e8cd32f9b8f0196864dc0a3d2ab70b54493aad93
SHA256 ff53b256e4f682ec6b937675206fb8a7410970366fd1f0a0ccbdd516ff94b183
SHA512 c1aa71584ff78e17bb401332306bd4041baf7c1c9c2ab43397e1ae7b701ccff75cb3e3c0a5bad843738cc63600f53e484bba2a53c086cf070c46773502bf2587

C:\Windows\SysWOW64\rasui.exe

MD5 0e1e2f4228974105000cb8f56afe8e8c
SHA1 fb849d7c6efb483655eb5260b31f3575c113ea2e
SHA256 0ed316d503424fe4a0b78646f082aeb70b9bb632541e97d141e8748bfeb22dee
SHA512 13f4568916a427a2ca699c5f89336738d8fd186b442f2f193b433431bfbce8ef2554f96f9df78573c75694fc729e7439818e14a711aa759a20593fb4820a1a7a

C:\Users\Public\Documents\ntuser{4CB43D7F-7DCA-4906-8698-FFFFFFFF8094E303}.pol

MD5 59babb838a876914f6b5402512da3d41
SHA1 eb72a9af96d374bc1d0045513ae1f4541060a7e5
SHA256 443c07a2c83b7b0253a325d2b72ac757c3aa5b41cd749842bc74fb3ee9b26866
SHA512 6c7f7fd694df9949b4716d009242b423216aa52e579414505406d6d3fcaa84fd8c9227e55eb80d28ba40068d80fd6f8be089f2b655ebc72872cd226236fa97ea

memory/2704-74-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\Contacts\desktop.ini

MD5 eefa7f76ff11a5ec21bb777b798ac46c
SHA1 2e7a65ea8427d13a92ea159a5b8859ff99d2a836
SHA256 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae
SHA512 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 07:12

Reported

2024-11-08 07:14

Platform

win10v2004-20241007-en

Max time kernel

101s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\lsapc.exe N/A
N/A N/A C:\Windows\SysWOW64\engfw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\engfw.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\engfw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\srvschd.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\engfw.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\engfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\engfw.exe N/A
File created C:\Windows\SysWOW64\wdmdsp.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\lsapc.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\englib.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\engfw.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\engfw.exe N/A
File opened for modification C:\Windows\SysWOW64\wdmdsp.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\englib.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\srvschd.scr C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File created C:\Windows\SysWOW64\engfw.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Contacts\desktop.ini C:\Windows\SysWOW64\engfw.exe N/A
File opened for modification C:\Windows\SysWOW64\lsapc.exe C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Contacts C:\Windows\SysWOW64\engfw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\lsapc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\engfw.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\SysWOW64\\srvschd.scr" C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveUtility = "C:\\Windows\\SysWOW64\\englib.scr" C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60" C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\ScreenSaveBackup C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedPropCount = "1" C:\Windows\SysWOW64\engfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004608000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000000012800e0000000100330032003800300032000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 C:\Windows\SysWOW64\engfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0" C:\Windows\SysWOW64\engfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB C:\Windows\SysWOW64\engfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 C:\Windows\SysWOW64\engfw.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedPropCount = "2" C:\Windows\SysWOW64\engfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004607000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000 C:\Windows\SysWOW64\engfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\engfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\engfw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\engfw.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced C:\Windows\SysWOW64\engfw.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000 C:\Windows\SysWOW64\engfw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\engfw.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe

"C:\Users\Admin\AppData\Local\Temp\2ae34d0a6ce3d6402e9820e07567f2e97dbc8f465f601b54e2693c64ad3f6552N.exe"

C:\Windows\SysWOW64\lsapc.exe

C:\Windows\SysWOW64\lsapc.exe /combine local system

C:\Windows\SysWOW64\engfw.exe

C:\Windows\SysWOW64\engfw.exe u0k

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 199.231.188.109:21 tcp
US 199.231.188.109:21 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2348-0-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2348-1-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2348-2-0x0000000002710000-0x0000000002758000-memory.dmp

memory/2348-3-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sqlinf.exe

MD5 b59199877e0d68a5e93fc8ea76374ed1
SHA1 7803f160af428bcfb4b9ea2aba07886f232cde4e
SHA256 5b50e26a01b320f05d66727e9d220d5858cdac203ff62e4b9ced1cafc2683637
SHA512 9815ee218c7f737ef662f5fb44844ec17c6b9552e0432f2f8c60aded2fa19bb8157ec0839046ac387f604672137c417a98a8181440869316209a70a9d0e6a210

C:\Windows\SysWOW64\lsapc.exe

MD5 69e091b02788a3b03799f2db5b66f5b0
SHA1 669bd7ef19ee7747b40eda81dee0f15cec9389d8
SHA256 e7f9bd4eaaa2c8de00768446fa3c57c940caf5d0a575f9e4f860621a70dd51a5
SHA512 22006fa4331599894f9f38285d57d732a4ace456ea5aa6f65d6325bce5fd4a35f09f527915ebe33169a048da68772549ef6f349a6b8cbebd757ff3207b6a12f4

C:\Users\Admin\AppData\Local\Temp\libenv.scr

MD5 933b3c5d3728ef6e08af4ae579c00d11
SHA1 42dbfbedd813e6dbea1398323f085a88fa014293
SHA256 47f3405ab0da5af125bcc6ebb6d17a1573b090c54d7a0a00630ec170ccc4b9d1
SHA512 054c8fe49dad9571f7a1c2d015fdf2cc3589113517dc246baa3e68a62c186243d860566fa6339beec07a29c480f57a1009db4f51b813dfae4c26193b82baea1b

C:\Windows\SysWOW64\engfw.exe

MD5 2fc6f3f4cb92c88f72467a1dd2de9b3f
SHA1 20761b44adc932cd3fec230cc303f0aa4bf456fc
SHA256 4be6da46eae171e4a1f100eb37b7fdd8381b3dc564f94a5228778c1a64214cef
SHA512 cf412c73be7b97121ce149007696419572721c9f822250152ce88bad95e0951cd4129e44bc6cc6ab57212d42707042f9965a1232a0365edf76e7c7f0c41cbc04

C:\Users\Public\Documents\ntuser{4CB43D7F-7DCA-4906-8698-FFFFFFFF8094E303}.pol

MD5 59babb838a876914f6b5402512da3d41
SHA1 eb72a9af96d374bc1d0045513ae1f4541060a7e5
SHA256 443c07a2c83b7b0253a325d2b72ac757c3aa5b41cd749842bc74fb3ee9b26866
SHA512 6c7f7fd694df9949b4716d009242b423216aa52e579414505406d6d3fcaa84fd8c9227e55eb80d28ba40068d80fd6f8be089f2b655ebc72872cd226236fa97ea

memory/3664-72-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3664-73-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/3664-75-0x0000000000400000-0x00000000005AF000-memory.dmp