Analysis Overview
SHA256
fc1ad8d1483f0b1c94b55be7b7587b86485022ca4e62e6fb0c06e392dfaeecd2
Threat Level: Known bad
The file C11Bootstrapper.zip was found to be: Known bad.
Malicious Activity Summary
Umbral family
Asyncrat family
Detect Umbral payload
Umbral
AsyncRat
Async RAT payload
Drops file in Drivers directory
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs ping.exe
Modifies data under HKEY_USERS
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Modifies registry class
Delays execution with timeout.exe
Detects videocard installed
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 20:56
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
154s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp |
Files
memory/4496-0-0x0000000000580000-0x00000000005C4000-memory.dmp
memory/4496-1-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/4496-3-0x000000001B280000-0x000000001B290000-memory.dmp
memory/4496-4-0x00007FF984460000-0x00007FF984F21000-memory.dmp
memory/4496-5-0x000000001B280000-0x000000001B290000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win7-20231129-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 2240 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 2240 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/2240-0-0x0000000001090000-0x00000000010D4000-memory.dmp
memory/2240-1-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp
memory/2240-2-0x0000000000DF0000-0x0000000000E70000-memory.dmp
memory/2240-17-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
152s
Command Line
Signatures
AsyncRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\IndependenciesInstallation.bat"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
C11Setup.exe
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
GuiLoader.exe
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
PageEditor.exe
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp |
Files
memory/1096-0-0x000001CE061B0000-0x000001CE061F4000-memory.dmp
memory/3588-1-0x0000000000020000-0x0000000000064000-memory.dmp
memory/228-2-0x0000000000F00000-0x0000000000F18000-memory.dmp
memory/3588-3-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/1096-4-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/228-7-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/228-8-0x000000001BDF0000-0x000000001BE00000-memory.dmp
memory/3588-9-0x000000001AC80000-0x000000001AC90000-memory.dmp
memory/1096-11-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/228-12-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/3588-13-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp
memory/3588-14-0x000000001AC80000-0x000000001AC90000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
AsyncRat
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe"
Network
Files
memory/1556-0-0x00000000010E0000-0x00000000010F8000-memory.dmp
memory/1556-1-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/1556-3-0x000000001AEF0000-0x000000001AF70000-memory.dmp
memory/1556-4-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win7-20231129-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Start.bat"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
AsyncRat
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ed2fd579c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e1604599c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000079f1a589c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3e510589c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ea94579c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb9e0d599c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b835b4599c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cf0de579c92da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3896 wrote to memory of 3424 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 3896 wrote to memory of 3424 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 3896 wrote to memory of 1976 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 3896 wrote to memory of 1976 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 808 812 760 8192 816 792
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1232-0-0x0000000000FC0000-0x0000000000FD8000-memory.dmp
memory/1232-2-0x00007FFE7C450000-0x00007FFE7CF11000-memory.dmp
memory/1232-3-0x000000001BDF0000-0x000000001BE00000-memory.dmp
memory/1232-4-0x00007FFE7C450000-0x00007FFE7CF11000-memory.dmp
memory/3896-5-0x0000020A6D960000-0x0000020A6D970000-memory.dmp
memory/3896-21-0x0000020A6DB90000-0x0000020A6DBA0000-memory.dmp
memory/3896-37-0x0000020A71F50000-0x0000020A71F58000-memory.dmp
memory/3896-41-0x0000020A728C0000-0x0000020A728C8000-memory.dmp
memory/1976-43-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-44-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-45-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-46-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-47-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-50-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-49-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-48-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-51-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-52-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-54-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-57-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-56-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-59-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-61-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-60-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-58-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-55-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-53-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-62-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-63-0x000001DD7ED70000-0x000001DD7ED80000-memory.dmp
memory/1976-64-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-65-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-66-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-69-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-68-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-67-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-70-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-71-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-73-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-74-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-75-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-77-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-80-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-79-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-78-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-85-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-87-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-86-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-76-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-92-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-103-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-105-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-104-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-107-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-113-0x000001DD7ED40000-0x000001DD7ED50000-memory.dmp
memory/1976-114-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-115-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-125-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-126-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-127-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-129-0x000001DD7ED70000-0x000001DD7ED80000-memory.dmp
memory/1976-130-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-132-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-133-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-137-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-141-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-142-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-143-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-146-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-154-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-156-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-157-0x000001DD7F180000-0x000001DD7F190000-memory.dmp
memory/1976-158-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-161-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-162-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-163-0x000001DD7F180000-0x000001DD7F190000-memory.dmp
memory/1976-168-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-169-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp
memory/1976-170-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-171-0x000001DD7F180000-0x000001DD7F190000-memory.dmp
memory/1976-178-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-184-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp
memory/1976-183-0x000001DD7F180000-0x000001DD7F190000-memory.dmp
memory/1976-186-0x000001DD7F180000-0x000001DD7F190000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:58
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:58
Platform
win7-20240215-en
Max time kernel
148s
Max time network
120s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp |
Files
memory/2356-0-0x00000000008B0000-0x00000000008F4000-memory.dmp
memory/2356-1-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/2356-3-0x000000001AFA0000-0x000000001B020000-memory.dmp
memory/2356-4-0x0000000077750000-0x00000000778F9000-memory.dmp
memory/2356-5-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp
memory/2356-6-0x000000001AFA0000-0x000000001B020000-memory.dmp
memory/2356-7-0x0000000077750000-0x00000000778F9000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:58
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.221.208.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/3516-0-0x0000013FB24E0000-0x0000013FB2524000-memory.dmp
memory/3516-1-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3516-2-0x0000013FCCA20000-0x0000013FCCA30000-memory.dmp
memory/5056-4-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrusvwsp.bdu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5056-3-0x0000020D75C80000-0x0000020D75CA2000-memory.dmp
memory/5056-14-0x0000020D75C70000-0x0000020D75C80000-memory.dmp
memory/5056-15-0x0000020D75C70000-0x0000020D75C80000-memory.dmp
memory/5056-18-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3800-20-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3800-21-0x000001DA9B5E0000-0x000001DA9B5F0000-memory.dmp
memory/3800-22-0x000001DA9B5E0000-0x000001DA9B5F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
memory/3800-33-0x000001DA9B5E0000-0x000001DA9B5F0000-memory.dmp
memory/3800-35-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3516-38-0x0000013FCCC10000-0x0000013FCCC86000-memory.dmp
memory/3516-39-0x0000013FCCC90000-0x0000013FCCCE0000-memory.dmp
memory/3516-40-0x0000013FCCBD0000-0x0000013FCCBEE000-memory.dmp
memory/2936-41-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/2936-42-0x0000019504620000-0x0000019504630000-memory.dmp
memory/2936-43-0x0000019504620000-0x0000019504630000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c65738617888921a153bd9b1ef516ee7 |
| SHA1 | 5245e71ea3c181d76320c857b639272ac9e079b1 |
| SHA256 | 4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26 |
| SHA512 | 2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa |
memory/2936-66-0x0000019504620000-0x0000019504630000-memory.dmp
memory/2936-68-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3984-69-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3984-70-0x000002425FE70000-0x000002425FE80000-memory.dmp
memory/3516-71-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/3984-82-0x000002425FE70000-0x000002425FE80000-memory.dmp
memory/3984-84-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3516-85-0x0000013FCCA20000-0x0000013FCCA30000-memory.dmp
memory/3516-87-0x0000013FCCDE0000-0x0000013FCCDEA000-memory.dmp
memory/3516-88-0x0000013FCCE10000-0x0000013FCCE22000-memory.dmp
memory/4268-102-0x00000186486E0000-0x00000186486F0000-memory.dmp
memory/4268-101-0x00000186486E0000-0x00000186486F0000-memory.dmp
memory/4268-91-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 92382908106bf04aac6575ae0e55073f |
| SHA1 | b164dd606b60ada42fe843963f95e14e92d5d86a |
| SHA256 | 1332dc373efa610424b48ae9955247275f4f94cfeecec93a5121784ed8d6b3db |
| SHA512 | d6ee3e3776f683b2a4eaf4fd92e2cd2b9412d85fb57556130d8cabf52e180fb17b5dcdfec9ccd0b3b80bed2816c0bd2d25de35580b859e7799b7cb61071edb3f |
memory/4268-105-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
memory/3516-110-0x00007FFC2C820000-0x00007FFC2D2E1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
AsyncRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\IndependenciesInstallation.bat"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
C11Setup.exe
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
GuiLoader.exe
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
PageEditor.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2696 -s 580
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
Files
memory/2696-31-0x0000000000D00000-0x0000000000D44000-memory.dmp
memory/2728-30-0x0000000001390000-0x00000000013D4000-memory.dmp
memory/2800-29-0x0000000000200000-0x0000000000218000-memory.dmp
memory/2800-33-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
memory/2728-34-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
memory/2696-35-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
memory/2800-36-0x000000001A710000-0x000000001A790000-memory.dmp
memory/2728-37-0x000000001A8F0000-0x000000001A970000-memory.dmp
memory/2728-38-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
memory/2800-39-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-19 20:56
Reported
2024-04-19 20:59
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
AsyncRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Start.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K IndependenciesInstallation.bat
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\timeout.exe
timeout /t 1
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
C11Setup.exe
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
GuiLoader.exe
C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
PageEditor.exe
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/5104-0-0x0000020DFF3A0000-0x0000020DFF3E4000-memory.dmp
memory/3868-1-0x0000000000FB0000-0x0000000000FC8000-memory.dmp
memory/368-2-0x0000000000180000-0x00000000001C4000-memory.dmp
memory/368-3-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/3868-6-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/5104-7-0x0000020D9A2C0000-0x0000020D9A2D0000-memory.dmp
memory/368-8-0x000000001AFB0000-0x000000001AFC0000-memory.dmp
memory/5104-9-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/4208-10-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/4208-12-0x000002327DB10000-0x000002327DB20000-memory.dmp
memory/4208-11-0x000002327DB10000-0x000002327DB20000-memory.dmp
memory/4208-13-0x000002327DA90000-0x000002327DAB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ble2cpf5.qnt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3868-23-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/4208-24-0x000002327DB10000-0x000002327DB20000-memory.dmp
memory/4208-27-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/952-29-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/952-30-0x000001DFAA170000-0x000001DFAA180000-memory.dmp
memory/952-31-0x000001DFAA170000-0x000001DFAA180000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/952-42-0x000001DFAA170000-0x000001DFAA180000-memory.dmp
memory/952-44-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/5104-47-0x0000020DFF7C0000-0x0000020DFF836000-memory.dmp
memory/5104-48-0x0000020DFF840000-0x0000020DFF890000-memory.dmp
memory/5104-49-0x0000020DFF760000-0x0000020DFF77E000-memory.dmp
memory/2104-50-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/2104-51-0x000001EE9A030000-0x000001EE9A040000-memory.dmp
memory/2104-52-0x000001EE9A030000-0x000001EE9A040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74a6b79d36b4aae8b027a218bc6e1af7 |
| SHA1 | 0350e46c1df6934903c4820a00b0bc4721779e5f |
| SHA256 | 60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04 |
| SHA512 | 60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0 |
memory/2104-75-0x000001EE9A030000-0x000001EE9A040000-memory.dmp
memory/2104-77-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/348-88-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/348-89-0x000001937A8E0000-0x000001937A8F0000-memory.dmp
memory/348-90-0x000001937A8E0000-0x000001937A8F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 227556da5e65f6819f477756808c17e4 |
| SHA1 | 6ffce766e881ca2a60180bb25f4981b183f78279 |
| SHA256 | 101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4 |
| SHA512 | d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a |
memory/368-91-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/348-92-0x000001937A8E0000-0x000001937A8F0000-memory.dmp
memory/348-94-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/5104-95-0x0000020D9A2C0000-0x0000020D9A2D0000-memory.dmp
memory/368-96-0x000000001AFB0000-0x000000001AFC0000-memory.dmp
memory/5104-98-0x0000020DFF740000-0x0000020DFF74A000-memory.dmp
memory/5104-99-0x0000020DFF7A0000-0x0000020DFF7B2000-memory.dmp
memory/5104-102-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 43475d20ed96d7c6627d7f7f5726a901 |
| SHA1 | 2e1704dc14bcfe8bc0311e26cb48c3fb884407c4 |
| SHA256 | 299720508b495a169d1cd56c6ab6d75a829c6b2edfd4a7816b4f581c0c8eae9a |
| SHA512 | d9a05e8e473fc9bfb56b882d09772c99518675a7c99769f95df2466ae11ed3b62d01cb70e07db9bc51961c14fdc778efad3393213c0f08dff7bed9ea5b44623f |
memory/3484-113-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/3484-114-0x0000023022AD0000-0x0000023022AE0000-memory.dmp
memory/3484-115-0x0000023022AD0000-0x0000023022AE0000-memory.dmp
memory/3484-117-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp
memory/5104-122-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp