Malware Analysis Report

2024-10-23 22:01

Sample ID 230727-qwjnvaeg92
Target NA_17d541ebec88f36a380096bc3_JC.vbs
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
Tags
agenttesla wshrat collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9

Threat Level: Known bad

The file NA_17d541ebec88f36a380096bc3_JC.vbs was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat collection keylogger persistence spyware stealer trojan

AgentTesla

WSHRAT

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Drops startup file

Executes dropped EXE

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Modifies registry class

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-27 13:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 13:36

Reported

2023-07-27 13:39

Platform

win7-20230712-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_17d541ebec88f36a380096bc3_JC.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_17d541ebec88f36a380096bc3_JC.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NA_17d541ebec88f36a380096bc3_JC.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\keylogger.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 lee44.kozow.com udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 smtp.gmail.com udp
NL 142.250.102.109:587 smtp.gmail.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp

Files

C:\Users\Admin\AppData\Roaming\NA_17d541ebec88f36a380096bc3_JC.vbs

MD5 535074e18bb8158e02c210a49b608d27
SHA1 773c9512cb8e3629d90abbb2c61bab322032511d
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA512 43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs

MD5 535074e18bb8158e02c210a49b608d27
SHA1 773c9512cb8e3629d90abbb2c61bab322032511d
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA512 43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966

C:\Users\Admin\AppData\Roaming\keylogger.vbs

MD5 eb6cbe2f11642772cf11896551a03673
SHA1 a3d196c4ec0eb4f563e38e0d9d9b4f9dbd738adf
SHA256 3bd943ecdb221e050c19ceda7dcf479fb70554e81630426dca7d7962770eadaa
SHA512 d488f65ad29300141da45d655af80546217083f616746843de2477b053720afc212a8994c1705e7a27dc26d49bd4962a2761a46a8f667753aaea47da27bf46de

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d1f85ec72f11699fed66783d175760e5
SHA1 08b642efb0b1f483f955156c2dc890e90e867cf5
SHA256 3e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA512 8209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d1f85ec72f11699fed66783d175760e5
SHA1 08b642efb0b1f483f955156c2dc890e90e867cf5
SHA256 3e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA512 8209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97

memory/2700-70-0x00000000009E0000-0x0000000000A10000-memory.dmp

memory/2700-71-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2700-73-0x00000000047E0000-0x0000000004820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Windows Update\Windows Update.exe

MD5 d1f85ec72f11699fed66783d175760e5
SHA1 08b642efb0b1f483f955156c2dc890e90e867cf5
SHA256 3e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA512 8209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs

MD5 535074e18bb8158e02c210a49b608d27
SHA1 773c9512cb8e3629d90abbb2c61bab322032511d
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA512 43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966

memory/2700-84-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2700-85-0x00000000047E0000-0x0000000004820000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9M1KBX1\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-27 13:36

Reported

2023-07-27 13:39

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_17d541ebec88f36a380096bc3_JC.vbs"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NA_17d541ebec88f36a380096bc3_JC = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\NA_17d541ebec88f36a380096bc3_JC.vbs\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\System32\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NA_17d541ebec88f36a380096bc3_JC.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NA_17d541ebec88f36a380096bc3_JC.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\keylogger.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 lee44.kozow.com udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 161.97.37.194.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 smtp.gmail.com udp
NL 142.250.102.109:587 smtp.gmail.com tcp
US 8.8.8.8:53 109.102.250.142.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 194.37.97.161:4078 lee44.kozow.com tcp
US 194.37.97.161:4078 lee44.kozow.com tcp

Files

C:\Users\Admin\AppData\Roaming\NA_17d541ebec88f36a380096bc3_JC.vbs

MD5 535074e18bb8158e02c210a49b608d27
SHA1 773c9512cb8e3629d90abbb2c61bab322032511d
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA512 43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs

MD5 535074e18bb8158e02c210a49b608d27
SHA1 773c9512cb8e3629d90abbb2c61bab322032511d
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA512 43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966

C:\Users\Admin\AppData\Roaming\keylogger.vbs

MD5 eb6cbe2f11642772cf11896551a03673
SHA1 a3d196c4ec0eb4f563e38e0d9d9b4f9dbd738adf
SHA256 3bd943ecdb221e050c19ceda7dcf479fb70554e81630426dca7d7962770eadaa
SHA512 d488f65ad29300141da45d655af80546217083f616746843de2477b053720afc212a8994c1705e7a27dc26d49bd4962a2761a46a8f667753aaea47da27bf46de

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d1f85ec72f11699fed66783d175760e5
SHA1 08b642efb0b1f483f955156c2dc890e90e867cf5
SHA256 3e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA512 8209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d1f85ec72f11699fed66783d175760e5
SHA1 08b642efb0b1f483f955156c2dc890e90e867cf5
SHA256 3e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA512 8209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d1f85ec72f11699fed66783d175760e5
SHA1 08b642efb0b1f483f955156c2dc890e90e867cf5
SHA256 3e9ee225b6d213f8e5e6ab0b6d14f85daf0fc5d3e47942277997fff940b5acb7
SHA512 8209e250bff8e06123b5446ea9a0321fbf18a93897937b01bca8930036f07f67c703f26828152752b50a9b87a1cd6eea6d50dbd19e3f34d17ffd750157f36f97

memory/4652-155-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/4652-156-0x0000000000C20000-0x0000000000C50000-memory.dmp

memory/4652-157-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/4652-158-0x00000000057F0000-0x0000000005800000-memory.dmp

memory/4652-159-0x0000000005620000-0x0000000005686000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NA_17d541ebec88f36a380096bc3_JC.vbs

MD5 535074e18bb8158e02c210a49b608d27
SHA1 773c9512cb8e3629d90abbb2c61bab322032511d
SHA256 17d541ebec88f36a380096bc34ab5e358a75a02395f14ce35b067304d94260f9
SHA512 43e1afa8d1e08fb7b12ebf6edb075ea5ce0df662e890b57fe5b95d831fbb0c69063c7c44055cdfce627c5a3aecee32f5beeeb443af66bbdc31f7551b34bda966

memory/4652-164-0x0000000006510000-0x0000000006560000-memory.dmp

memory/4652-165-0x0000000006730000-0x00000000068F2000-memory.dmp

memory/4652-175-0x0000000006600000-0x000000000669C000-memory.dmp

memory/4652-176-0x0000000006CE0000-0x0000000006D72000-memory.dmp

memory/4652-177-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

memory/4652-180-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/4652-181-0x00000000057F0000-0x0000000005800000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5XLATO3O\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3