Malware Analysis Report

2025-06-16 03:22

Sample ID 220510-2hmzwshff2
Target f0fd5d38ffa54d8dfd6456c0b7a8664b
SHA256 4e3056448e294407b47e08e4dd3364b14acc1fe05d602cbe3347e10800f925ae
Tags
bitrat suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e3056448e294407b47e08e4dd3364b14acc1fe05d602cbe3347e10800f925ae

Threat Level: Known bad

The file f0fd5d38ffa54d8dfd6456c0b7a8664b was found to be: Known bad.

Malicious Activity Summary

bitrat suricata trojan

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

BitRAT

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-10 22:35

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-10 22:35

Reported

2022-05-10 22:37

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

Signatures

BitRAT

trojan bitrat

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

suricata

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3356 set thread context of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3356 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3356 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 3356 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 3356 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rGucnaAeGqFkx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rGucnaAeGqFkx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp248F.tmp"

C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 https.myvnc.com udp
NL 192.121.102.242:9111 https.myvnc.com tcp
US 8.8.8.8:53 https.myvnc.com udp

Files

memory/3356-130-0x0000000000D60000-0x00000000011F4000-memory.dmp

memory/3356-131-0x0000000006100000-0x00000000066A4000-memory.dmp

memory/3356-132-0x0000000005BF0000-0x0000000005C82000-memory.dmp

memory/3356-133-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

memory/3356-134-0x0000000009520000-0x00000000095BC000-memory.dmp

memory/3356-135-0x000000000BD20000-0x000000000BD86000-memory.dmp

memory/3260-136-0x0000000000000000-mapping.dmp

memory/2660-137-0x0000000000000000-mapping.dmp

memory/2508-139-0x0000000000000000-mapping.dmp

memory/3260-138-0x00000000021C0000-0x00000000021F6000-memory.dmp

memory/3260-140-0x0000000004DA0000-0x00000000053C8000-memory.dmp

memory/3260-141-0x0000000004CE0000-0x0000000004D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp248F.tmp

MD5 4b13bd67cade98501400c62a2f4eb0e3
SHA1 6504f657347472c185eaad89af67857856e2f7e8
SHA256 396029ad083faeb4cc90b75044e16427303beb75987e116a2c7311d9e088e90c
SHA512 c5d43312407966404eb7f6d8f11c8e43b393bb002dbc2c6270ce2e70cc95776a87e137a573febdc1a77e28e0f45e8bfa5c02865a1938b480d1357be59ae8f7ec

memory/2660-143-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/3260-144-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/4196-145-0x0000000000000000-mapping.dmp

memory/4304-146-0x0000000000000000-mapping.dmp

memory/4304-147-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4304-148-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4304-149-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4304-150-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/3260-152-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/2660-153-0x000000006FF30000-0x000000006FF7C000-memory.dmp

memory/2660-151-0x0000000006E10000-0x0000000006E42000-memory.dmp

memory/3260-154-0x0000000006C60000-0x0000000006C7E000-memory.dmp

memory/3260-155-0x0000000007400000-0x0000000007A7A000-memory.dmp

memory/3260-156-0x0000000006DC0000-0x0000000006DDA000-memory.dmp

memory/3260-157-0x0000000006E30000-0x0000000006E3A000-memory.dmp

memory/2660-158-0x0000000007E20000-0x0000000007EB6000-memory.dmp

memory/2660-159-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

memory/3260-160-0x0000000007100000-0x000000000711A000-memory.dmp

memory/3260-162-0x00000000070E0000-0x00000000070E8000-memory.dmp

memory/2660-161-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04bebfdd3dd2a37f8a6c4b866531a336
SHA1 b974edb0ddedac47aad59dfb284933ce4941390b
SHA256 1b61025d347152bbfba6cfd465f1121843ca6953627eafb5c6dc22f5b22fb667
SHA512 17d7a787ae4e38bb0e7bc8c49c0331ba3ff30d53ddc7eade292e939dd17f79b4f7476bbd08866bc91674b649bf909034a1efa4a3d5ee2cedb5683bccf274bd1f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-10 22:35

Reported

2022-05-10 22:37

Platform

win7-20220414-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

Signatures

BitRAT

trojan bitrat

suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 376 set thread context of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe
PID 376 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rGucnaAeGqFkx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rGucnaAeGqFkx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD624.tmp"

C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe

"C:\Users\Admin\AppData\Local\Temp\f0fd5d38ffa54d8dfd6456c0b7a8664b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 https.myvnc.com udp
NL 192.121.102.242:9111 https.myvnc.com tcp
US 8.8.8.8:53 https.myvnc.com udp

Files

memory/376-54-0x0000000000950000-0x0000000000DE4000-memory.dmp

memory/376-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

memory/376-56-0x00000000005A0000-0x00000000005AE000-memory.dmp

memory/376-57-0x0000000009CF0000-0x000000000A0CA000-memory.dmp

memory/1352-58-0x0000000000000000-mapping.dmp

memory/1780-60-0x0000000000000000-mapping.dmp

memory/1836-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD624.tmp

MD5 db859e33939e1d3f71f354b4de2d9ce1
SHA1 cae69c1ce0a74afc32c1abd38918e7e38cf93a8d
SHA256 c3f9ff42c9bcedd8fa46a824f3bc979bcf1e81bff4f74d26245eac32a852cdbd
SHA512 188d7356d77b0f7d07ebf5d1a1f97cb81be5adcc8bfe2f9e4341bc705e3b31d3e95bfb22a751b6651f77309cae10736ad4e4c0fd0db6690047396d897fc83408

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1be8301f3fe6d9c8632b565855a60f22
SHA1 02785613b6cc3b3e2794ad004ceae76ffa2a6eb6
SHA256 357c3b078aa8ddefa354f97ce67113652a592303e222726858cdb575097f9bdb
SHA512 516c6d8a314cf40bb64b8b9c2ba88345a8415a39cff02e48f19bdd58e83f53710c66958aec1281173d15d5f08c53a9903832bf06584d710b3fc2448e1d612670

memory/376-65-0x0000000002310000-0x0000000002316000-memory.dmp

memory/376-66-0x000000000BBA0000-0x000000000BF72000-memory.dmp

memory/1352-67-0x000000006E660000-0x000000006EC0B000-memory.dmp

memory/1780-68-0x000000006E660000-0x000000006EC0B000-memory.dmp

memory/1460-69-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-70-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-72-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-74-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-76-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-78-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-79-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-81-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-82-0x000000000068A488-mapping.dmp

memory/1460-84-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1460-86-0x0000000000400000-0x00000000007CE000-memory.dmp