Malware Analysis Report

2024-09-22 21:53

Sample ID 240304-qqvtxsbc71
Target b23d6c569893579789695f3d05accbe1
SHA256 93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c
Tags
azorult oski raccoon zgrat 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

Threat Level: Known bad

The file b23d6c569893579789695f3d05accbe1 was found to be: Known bad.

Malicious Activity Summary

azorult oski raccoon zgrat 43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3 infostealer rat spyware stealer trojan

Raccoon

Detect ZGRat V1

ZGRat

Oski

Raccoon Stealer V1 payload

Azorult

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-04 13:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 13:28

Reported

2024-03-04 13:30

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe"

Signatures

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4636 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 4636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 4636 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 4636 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1636 wrote to memory of 3924 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 1636 wrote to memory of 3924 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 1636 wrote to memory of 3924 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 3924 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

"C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

"C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs"

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

"C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3228 -ip 3228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1324

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 54.177.53.185.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 mazoyer.ac.ug udp
US 8.8.8.8:53 mazoyer.ac.ug udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 mazooyaar.ac.ug udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4636-1-0x0000000000BC0000-0x0000000000D2C000-memory.dmp

memory/4636-0-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4636-2-0x0000000005CB0000-0x0000000006254000-memory.dmp

memory/4636-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/4636-4-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/4636-5-0x0000000005720000-0x000000000572A000-memory.dmp

memory/4060-6-0x0000000000C40000-0x0000000000C76000-memory.dmp

memory/4060-7-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4060-8-0x00000000053D0000-0x00000000059F8000-memory.dmp

memory/4060-9-0x0000000004D90000-0x0000000004DA0000-memory.dmp

memory/4060-10-0x0000000004DE0000-0x0000000004E02000-memory.dmp

memory/4060-11-0x0000000004E80000-0x0000000004EE6000-memory.dmp

memory/4060-17-0x0000000004EF0000-0x0000000004F56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e15a4hxj.bff.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4060-22-0x0000000005020000-0x0000000005374000-memory.dmp

memory/4060-23-0x0000000005D90000-0x0000000005DAE000-memory.dmp

memory/4060-24-0x0000000005E40000-0x0000000005E8C000-memory.dmp

memory/4060-25-0x0000000006310000-0x00000000063A6000-memory.dmp

memory/4060-26-0x0000000006290000-0x00000000062AA000-memory.dmp

memory/4060-27-0x00000000062E0000-0x0000000006302000-memory.dmp

memory/4060-28-0x0000000007F50000-0x00000000085CA000-memory.dmp

memory/4060-29-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4296-30-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4296-31-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/4296-32-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/4296-42-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/4296-43-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1636-44-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1636-45-0x0000000002A10000-0x0000000002A20000-memory.dmp

memory/1636-46-0x0000000002A10000-0x0000000002A20000-memory.dmp

memory/1636-56-0x0000000005DC0000-0x0000000006114000-memory.dmp

memory/1636-57-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/2868-58-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/2868-59-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/2868-69-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1920-70-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1920-71-0x0000000004890000-0x00000000048A0000-memory.dmp

memory/4636-72-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1920-82-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4992-83-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4992-84-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/4992-90-0x0000000006010000-0x0000000006364000-memory.dmp

memory/4992-95-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1328-96-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4636-97-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/1328-98-0x0000000002520000-0x0000000002530000-memory.dmp

memory/1328-108-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/2892-109-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/2892-110-0x0000000002830000-0x0000000002840000-memory.dmp

memory/2892-120-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4176-122-0x0000000004810000-0x0000000004820000-memory.dmp

memory/4176-121-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4176-123-0x0000000004810000-0x0000000004820000-memory.dmp

memory/4176-133-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1704-134-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1704-135-0x00000000030D0000-0x00000000030E0000-memory.dmp

memory/1704-146-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4636-145-0x0000000006CE0000-0x0000000006E38000-memory.dmp

memory/4636-147-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-148-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-150-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-152-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-156-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-154-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-158-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-160-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-162-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-164-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-166-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-168-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-172-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-170-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-174-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-176-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-178-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-180-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-182-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-184-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-186-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-190-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-188-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-192-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-194-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-196-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-198-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-200-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-202-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-204-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-206-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-208-0x0000000006CE0000-0x0000000006E33000-memory.dmp

memory/4636-209-0x0000000006AF0000-0x0000000006B66000-memory.dmp

memory/4636-210-0x0000000006E40000-0x0000000006F64000-memory.dmp

memory/4636-211-0x0000000006E40000-0x0000000006F5E000-memory.dmp

memory/4636-212-0x0000000006E40000-0x0000000006F5E000-memory.dmp

memory/4636-2487-0x0000000006B70000-0x0000000006B8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs

MD5 eedf5b01d8c6919df80fb4eeef481b96
SHA1 c2f13824ede4e9781aa1d231c3bfe65ee57a5202
SHA256 c470d243098a7051aa0914fcda227fa4ae3b752556a5de16da5d73a169005aa4
SHA512 c9db4dff46d7517270dda041eca132368edc87bac7d0926b5179d7c385696a7b648c2b99bb444a08c60c95fd4dbd01700f17a8c9cb678bef680a8f681d248822

memory/4636-2497-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1784-2499-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

MD5 bff1438036ccf8be218ec89f2e92230b
SHA1 805cabda5796988cdf0b624585fc4fcc514f141d
SHA256 493aa6892b773d1e49a1f861eb163134759fa1a9f44708bfdf1148231606b4be
SHA512 f9f3b256998e157d5140c0d3e8f1aa103a8d361c6cafb745e22bc1f805cad0f3d4599880534c50443ec1fd9ae907e2e6d6643c89e503e71df8e4769bc02034ff

memory/3924-2501-0x0000000000FD0000-0x0000000001092000-memory.dmp

memory/3924-2502-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs

MD5 8e6ed0e063f11f70636a3f17f2a6ff0a
SHA1 4eb2da6280255683781c4b2e3e2e77de09d7d3ba
SHA256 bfd0eeb6d76e800e9fc6ffc2924ed0f8a4562bd2446ec503362ed325094e7561
SHA512 061a55f826961a96609717eb173b3f4bade372e4e26f9eae6b84f45b2bcdb97687e7d79b6d450f6a92a9805c799f623a04c7bb59550e2027ba3cf5d172a34e0e

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

MD5 81b52a797709cd2b43a567beb918f288
SHA1 91f7feded933ff4861dd2c00f971595d7dd89513
SHA256 ce7db669ec00c7169451964b79a5b3ac018e87c5dfd2ed0c89482c30f74d4bae
SHA512 70cfe54f9bf63e5d639b377efbb530b0983dcaaf6f09b0ac74b349ab1640a5eeeb98d9f22f4241a5e2da28868f183574393ffd6823bdfab00c5b102ae9443123

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 13:28

Reported

2024-03-04 13:31

Platform

win7-20240221-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe"

Signatures

Azorult

trojan infostealer azorult

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1256 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 1256 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 1256 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 1256 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Windows\SysWOW64\WScript.exe
PID 1256 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 1256 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe
PID 2064 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 2064 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 2064 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 2064 wrote to memory of 972 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe
PID 972 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 972 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

"C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs"

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

C:\Users\Admin\AppData\Local\Temp\b23d6c569893579789695f3d05accbe1.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

"C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs"

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

"C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 112

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 telete.in udp
DE 185.53.177.54:443 telete.in tcp
US 8.8.8.8:53 mazoyer.ac.ug udp
US 8.8.8.8:53 mazoyer.ac.ug udp

Files

memory/1256-0-0x0000000000260000-0x00000000003CC000-memory.dmp

memory/1256-1-0x0000000074130000-0x000000007481E000-memory.dmp

memory/1256-2-0x0000000004EF0000-0x0000000004F30000-memory.dmp

memory/2580-5-0x000000006F480000-0x000000006FA2B000-memory.dmp

memory/2580-6-0x000000006F480000-0x000000006FA2B000-memory.dmp

memory/2580-7-0x000000006F480000-0x000000006FA2B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 8e5e13ff63e461fe8dbdc7dbec80b298
SHA1 b2f1a32e316af60fd047893fadb4aa442dc5ef73
SHA256 a737a3cfac5f0620d5d27bae694b502d4b5b69b918dd42ea5483e7dd2578bb47
SHA512 89633023d236a244cdb50186e423427771c30b18a3f9f9177b959d26561555876c52f1bcfb7b868f007c5789c14a7268bc1ef931aa7c53507c5f0f86109ac0b2

memory/2880-13-0x000000006F1D0000-0x000000006F77B000-memory.dmp

memory/2880-14-0x000000006F1D0000-0x000000006F77B000-memory.dmp

memory/2880-15-0x000000006F1D0000-0x000000006F77B000-memory.dmp

memory/2436-22-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/2436-21-0x000000006F450000-0x000000006F9FB000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2476-31-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/2476-30-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/2436-23-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/2476-32-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/1256-38-0x0000000074130000-0x000000007481E000-memory.dmp

memory/2852-39-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/2852-42-0x000000006F1C0000-0x000000006F76B000-memory.dmp

memory/2852-41-0x00000000027F0000-0x0000000002830000-memory.dmp

memory/2852-40-0x000000006F1C0000-0x000000006F76B000-memory.dmp

memory/2852-43-0x000000006F1C0000-0x000000006F76B000-memory.dmp

memory/840-49-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

memory/840-50-0x0000000002730000-0x0000000002770000-memory.dmp

memory/840-52-0x0000000002730000-0x0000000002770000-memory.dmp

memory/840-51-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

memory/840-53-0x0000000002730000-0x0000000002770000-memory.dmp

memory/840-54-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

memory/1344-60-0x000000006F1D0000-0x000000006F77B000-memory.dmp

memory/1344-61-0x0000000002470000-0x00000000024B0000-memory.dmp

memory/1344-62-0x000000006F1D0000-0x000000006F77B000-memory.dmp

memory/1344-63-0x0000000002470000-0x00000000024B0000-memory.dmp

memory/1344-64-0x000000006F1D0000-0x000000006F77B000-memory.dmp

memory/1344-65-0x0000000002470000-0x00000000024B0000-memory.dmp

memory/1836-71-0x000000006F420000-0x000000006F9CB000-memory.dmp

memory/1836-72-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/1836-73-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/1836-74-0x000000006F420000-0x000000006F9CB000-memory.dmp

memory/1836-75-0x000000006F420000-0x000000006F9CB000-memory.dmp

memory/1836-76-0x0000000002890000-0x00000000028D0000-memory.dmp

memory/3016-83-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/3016-84-0x0000000002810000-0x0000000002850000-memory.dmp

memory/3016-85-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/3016-86-0x0000000002810000-0x0000000002850000-memory.dmp

memory/3016-87-0x0000000002810000-0x0000000002850000-memory.dmp

memory/3016-88-0x0000000002810000-0x0000000002850000-memory.dmp

memory/3016-89-0x000000006F450000-0x000000006F9FB000-memory.dmp

memory/1100-95-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/1100-96-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/1100-97-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/1100-98-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/1100-99-0x00000000025F0000-0x0000000002630000-memory.dmp

memory/1256-101-0x0000000007FA0000-0x00000000080F8000-memory.dmp

memory/1100-100-0x000000006F1A0000-0x000000006F74B000-memory.dmp

memory/1256-102-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-103-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-105-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-107-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-109-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-111-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-113-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-115-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-117-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-119-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-121-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-123-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-125-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-127-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-129-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-131-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-133-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-135-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-137-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-139-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-141-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-143-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-145-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-147-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-149-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-151-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-153-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-155-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-157-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-159-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-161-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-163-0x0000000007FA0000-0x00000000080F3000-memory.dmp

memory/1256-164-0x0000000009F80000-0x000000000A0A4000-memory.dmp

memory/1256-165-0x0000000009F80000-0x000000000A09E000-memory.dmp

memory/1256-166-0x0000000009F80000-0x000000000A09E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Dewgkwlbhkrsncbybkhtfpkb.vbs

MD5 eedf5b01d8c6919df80fb4eeef481b96
SHA1 c2f13824ede4e9781aa1d231c3bfe65ee57a5202
SHA256 c470d243098a7051aa0914fcda227fa4ae3b752556a5de16da5d73a169005aa4
SHA512 c9db4dff46d7517270dda041eca132368edc87bac7d0926b5179d7c385696a7b648c2b99bb444a08c60c95fd4dbd01700f17a8c9cb678bef680a8f681d248822

memory/1256-2458-0x0000000074130000-0x000000007481E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

MD5 bff1438036ccf8be218ec89f2e92230b
SHA1 805cabda5796988cdf0b624585fc4fcc514f141d
SHA256 493aa6892b773d1e49a1f861eb163134759fa1a9f44708bfdf1148231606b4be
SHA512 f9f3b256998e157d5140c0d3e8f1aa103a8d361c6cafb745e22bc1f805cad0f3d4599880534c50443ec1fd9ae907e2e6d6643c89e503e71df8e4769bc02034ff

memory/972-2462-0x0000000000190000-0x0000000000252000-memory.dmp

memory/972-2463-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2532-2465-0x0000000000400000-0x0000000000492000-memory.dmp

memory/972-2464-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/1640-2471-0x000000006EED0000-0x000000006F47B000-memory.dmp

memory/1640-2472-0x0000000002860000-0x00000000028A0000-memory.dmp

memory/1640-2473-0x000000006EED0000-0x000000006F47B000-memory.dmp

memory/1640-2474-0x0000000002860000-0x00000000028A0000-memory.dmp

memory/1640-2475-0x0000000002860000-0x00000000028A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e3599a94c6e4e54fcbf3339214de3a0e
SHA1 785d8d88dd40e328d17210a8c2fa2065095b1e2e
SHA256 8a426d48850befa06b361a5f8ab5b9424fab84d53230f11d02441116ae29e1c8
SHA512 115f35e6c2bdf284749876fad76a41086731b00a075db1a995e07ec4c88ef204b6289fd546188f6361dd92913571e79267fc68b3b46c02f236695ee5de1a82a9

C:\Users\Admin\AppData\Local\Temp\Ddmmvlnwvosotwcisp.vbs

MD5 8e6ed0e063f11f70636a3f17f2a6ff0a
SHA1 4eb2da6280255683781c4b2e3e2e77de09d7d3ba
SHA256 bfd0eeb6d76e800e9fc6ffc2924ed0f8a4562bd2446ec503362ed325094e7561
SHA512 061a55f826961a96609717eb173b3f4bade372e4e26f9eae6b84f45b2bcdb97687e7d79b6d450f6a92a9805c799f623a04c7bb59550e2027ba3cf5d172a34e0e

\Users\Admin\AppData\Local\Temp\Oggnfkemtibcinconsoleapp16.exe

MD5 533e3640e395a9ee9c48b3e58e3c8792
SHA1 3a349edcdf0ff6d78fafee9b55e57dbde0c060cf
SHA256 a16541270099eaee1c8bc1a3463a31623956af8341ef4f52f5d980672538e203
SHA512 29a5f2ece551b0a81df4f856411a6f6643f8a51e14df6717ce1b214322de8124ab3b1827666606ae35291d32fd58e64d1c06991c2f13bf67aa933db91b25f909

C:\Users\Admin\AppData\Local\Temp\Hsbvhggsqlrfmuvyptooonsoleapp5.exe

MD5 81b52a797709cd2b43a567beb918f288
SHA1 91f7feded933ff4861dd2c00f971595d7dd89513
SHA256 ce7db669ec00c7169451964b79a5b3ac018e87c5dfd2ed0c89482c30f74d4bae
SHA512 70cfe54f9bf63e5d639b377efbb530b0983dcaaf6f09b0ac74b349ab1640a5eeeb98d9f22f4241a5e2da28868f183574393ffd6823bdfab00c5b102ae9443123