Analysis Overview
SHA256
5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070
Threat Level: Known bad
The file 5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Remcos
Windows security bypass
Nirsoft
NirSoft WebBrowserPassView
NirSoft MailPassView
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Windows security modification
Loads dropped DLL
Executes dropped EXE
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 10:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 10:03
Reported
2024-05-09 10:06
Platform
win7-20240221-en
Max time kernel
147s
Max time network
143s
Command Line
Signatures
Remcos
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2764 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
| PID 2820 set thread context of 932 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
| PID 2820 set thread context of 2956 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
| PID 2820 set thread context of 864 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\wmplayer.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe
"C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp39E5.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2764 -s 744
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\naxtweagdgyhmdduruvckozmlipizzjk"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qckex"
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\awpwxhwc"
Network
| Country | Destination | Domain | Proto |
| US | 64.188.26.202:1604 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 64.188.26.202:1604 | tcp | |
| US | 64.188.26.202:1604 | tcp |
Files
memory/1888-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp
memory/1888-1-0x00000000013D0000-0x00000000013E6000-memory.dmp
memory/1888-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
memory/1888-3-0x000000001AEA0000-0x000000001AF74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp39E5.tmp.bat
| MD5 | 263c5b122ffbfd72783b8c7071762468 |
| SHA1 | 8aaf7003a6254899632eee6ece4eee4b9437d110 |
| SHA256 | 408968f9369b68b6ed6e99c6a0996a38ef787c01a2009b8d2857d89001760a8c |
| SHA512 | 4254d18bc70cfbac3ed0f4b18799211bb7786bcc68b5f84d996edd0ead9e9fc3c2deec62d83bddf3fad8219e25f41d30ec225ddb64c1c40007afe542b3cec5f9 |
memory/1888-12-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 1b8e229e83f21a946115606f54fe6b8d |
| SHA1 | cf230bc4206a1789858160a0f2d3a87ed14c36a9 |
| SHA256 | 5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070 |
| SHA512 | 1f9911b01d8e3e177badb698819c06c490e3e376e23f40f99b995633e8b033427f2d5120c88d4f373a6fc3bb6e3ba5bbf526d6fa81097a188bf6f963e40bb0d1 |
memory/2764-18-0x0000000000260000-0x0000000000276000-memory.dmp
memory/2940-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2940-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2468-39-0x000000001B5B0000-0x000000001B892000-memory.dmp
memory/2468-40-0x00000000028E0000-0x00000000028E8000-memory.dmp
memory/2820-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2820-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-68-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-67-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-69-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-72-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-73-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-74-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2956-78-0x0000000000400000-0x0000000000462000-memory.dmp
memory/932-79-0x0000000000400000-0x0000000000478000-memory.dmp
memory/864-84-0x0000000000400000-0x0000000000424000-memory.dmp
memory/864-86-0x0000000000400000-0x0000000000424000-memory.dmp
memory/864-85-0x0000000000400000-0x0000000000424000-memory.dmp
memory/932-82-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2956-81-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2956-80-0x0000000000400000-0x0000000000462000-memory.dmp
memory/932-76-0x0000000000400000-0x0000000000478000-memory.dmp
memory/932-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\naxtweagdgyhmdduruvckozmlipizzjk
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2820-92-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-93-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2820-94-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2820-98-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2820-97-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2820-99-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 10:03
Reported
2024-05-09 10:06
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Remcos
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4472 set thread context of 3564 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Program Files (x86)\Windows Mail\wab.exe |
| PID 3564 set thread context of 3096 | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Program Files (x86)\Windows Mail\wab.exe |
| PID 3564 set thread context of 2800 | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Program Files (x86)\Windows Mail\wab.exe |
| PID 3564 set thread context of 844 | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | C:\Program Files (x86)\Windows Mail\wab.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows Mail\wab.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe
"C:\Users\Admin\AppData\Local\Temp\5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C1E.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\deuudlmynaddeihjhwujjwn"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fyzneexabivigwvnqghcmbabfi"
C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qafffwhuwqnnrcrrhrbexousoobjg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.114:443 | www.bing.com | tcp |
| US | 64.188.26.202:1604 | tcp | |
| US | 8.8.8.8:53 | 202.26.188.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 64.188.26.202:1604 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 64.188.26.202:1604 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.116.69.13.in-addr.arpa | udp |
Files
memory/4692-0-0x00007FFD234B3000-0x00007FFD234B5000-memory.dmp
memory/4692-1-0x000001DCA4870000-0x000001DCA4886000-memory.dmp
memory/4692-2-0x00007FFD234B0000-0x00007FFD23F71000-memory.dmp
memory/4692-3-0x000001DCBEE40000-0x000001DCBEF14000-memory.dmp
memory/4692-8-0x00007FFD234B0000-0x00007FFD23F71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3C1E.tmp.bat
| MD5 | 8f171c5f7b04ec84fa164cc84dd32eeb |
| SHA1 | add390d0c920607f31bec27fa973e9234ba6cb7d |
| SHA256 | d03466763641b14e073b415fdd581bff8354168cd0c26cc636765d5a7fc131a8 |
| SHA512 | 89a0527f483d42bc983df06d9c188bd41cf4eb0cbf067e41fc57419afb0526c3ac2623088273aaeb720278469147c60f625c5f4247e8b8ebfdca1b54d1d13c5c |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 1b8e229e83f21a946115606f54fe6b8d |
| SHA1 | cf230bc4206a1789858160a0f2d3a87ed14c36a9 |
| SHA256 | 5311d825c3975765c9a9a56f7c28f98b6f92c90b21a2a5ecd1bbbb0aabd82070 |
| SHA512 | 1f9911b01d8e3e177badb698819c06c490e3e376e23f40f99b995633e8b033427f2d5120c88d4f373a6fc3bb6e3ba5bbf526d6fa81097a188bf6f963e40bb0d1 |
memory/3564-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1824-17-0x0000021753400000-0x0000021753422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gcunew4h.ypi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3564-29-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-30-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-31-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-34-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2800-36-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2800-38-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3096-35-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3096-37-0x0000000000400000-0x0000000000478000-memory.dmp
memory/844-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/844-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/844-41-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3096-39-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2800-40-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3564-48-0x0000000000400000-0x0000000000482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\deuudlmynaddeihjhwujjwn
| MD5 | 365f45018b7bcc98591979d6c4b23752 |
| SHA1 | 073aff125450845105f5daa7d0e7cc24ee8bbca5 |
| SHA256 | 27be905cdbf87c23851d00d61afd5fcfe5c72b1de227ac7d8c0dc5c7583c9a6e |
| SHA512 | 4bd0d2266c624b9ad40e9ba6cb4d63debd12f46f5c27afae3bfc20e3e7f5e9f9c88f83151166324223c5889034a4d70652cf747f6943af011191c64c28e18703 |
memory/3564-50-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3564-54-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3564-53-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3564-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3564-66-0x0000000000400000-0x0000000000482000-memory.dmp