Malware Analysis Report

2024-10-10 12:54

Sample ID 240531-dfezhadh33
Target ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
SHA256 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908

Threat Level: Known bad

The file ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908 was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

Detects executables packed with SmartAssembly

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 02:56

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 02:56

Reported

2024-05-31 02:59

Platform

win7-20240221-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\iassvcs\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\fmifs\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\vga\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\netmsg\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\vga\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\vga\RCXB9DF.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\netmsg\RCXBD6B.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\netmsg\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\iassvcs\RCXC29D.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\fmifs\RCXC741.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\fmifs\RCXC7BF.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\vga\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\fmifs\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\vga\RCXBA5D.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\netmsg\RCXBCDD.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\iassvcs\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\fmifs\services.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\iassvcs\RCXC28C.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\fmifs\services.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\vga\dwm.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\netmsg\csrss.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\netmsg\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\iassvcs\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\iassvcs\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
N/A N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\iassvcs\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2008 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\cmd.exe
PID 2008 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\cmd.exe
PID 2008 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\cmd.exe
PID 2416 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2416 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2416 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2416 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2416 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2416 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 1456 wrote to memory of 2800 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 2800 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 2800 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 2116 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 2116 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1456 wrote to memory of 2116 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2800 wrote to memory of 3040 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2800 wrote to memory of 3040 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2800 wrote to memory of 3040 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 3040 wrote to memory of 2908 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 2908 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 2908 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 2612 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 2612 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 3040 wrote to memory of 2612 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2908 wrote to memory of 2376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2908 wrote to memory of 2376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2908 wrote to memory of 2376 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 2376 wrote to memory of 1904 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 1904 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 1904 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 560 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 560 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 560 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 592 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 1904 wrote to memory of 592 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 1904 wrote to memory of 592 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe
PID 592 wrote to memory of 2644 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 592 wrote to memory of 2644 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 592 wrote to memory of 2644 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 592 wrote to memory of 1960 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 592 wrote to memory of 1960 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 592 wrote to memory of 1960 N/A C:\Windows\System32\iassvcs\spoolsv.exe C:\Windows\System32\WScript.exe
PID 2644 wrote to memory of 440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\iassvcs\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe

"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\vga\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\netmsg\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\iassvcs\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\fmifs\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vga\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\netmsg\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\iassvcs\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fmifs\services.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\iassvcs\spoolsv.exe

"C:\Windows\System32\iassvcs\spoolsv.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa24909-e1f0-424b-9ffa-f47c7a818ec8.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730f488e-633f-431e-a67e-c6d1d1724d72.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6310bd7-df60-4b26-b965-586cac677826.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546b53b3-d3fb-410d-bde4-f2e6013021b3.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3a8f9b-f414-400d-897e-0e3f8b0ff020.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\657353cb-fe0d-4de0-8972-e18565c3d4b0.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e56b1e29-b58b-4187-bb7e-63e18a08ec80.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a2e2bd4-0db1-46de-a56f-cf90b66c524c.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed16267-7572-4476-a624-97c44b236cd8.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2377991-683d-4e97-aaa2-854cc1ec4d2f.vbs"

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\iassvcs\spoolsv.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f6f2e6-30dd-4812-b3ef-00c47ccf9d10.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 srv174492.hoster-test.ru udp

Files

memory/2008-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

memory/2008-1-0x0000000001260000-0x00000000014A6000-memory.dmp

memory/2008-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

memory/2008-3-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/2008-4-0x00000000004E0000-0x00000000004F0000-memory.dmp

memory/2008-5-0x0000000000B00000-0x0000000000B56000-memory.dmp

memory/2008-6-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/2008-7-0x0000000000500000-0x000000000050A000-memory.dmp

memory/2008-8-0x0000000000720000-0x000000000072A000-memory.dmp

memory/2008-9-0x0000000000730000-0x000000000073C000-memory.dmp

memory/2008-10-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

memory/2008-11-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

memory/2008-12-0x0000000000740000-0x0000000000748000-memory.dmp

memory/2008-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe

MD5 8a47ebacc81a5930588692128bc229f8
SHA1 3323a7c3376d19d5db6decb7c0fe2747848f9725
SHA256 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
SHA512 d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14

C:\Windows\System32\vga\RCXBA5D.tmp

MD5 4fde70524de984333863598880cb9cc7
SHA1 9917b609b02886d7774884dfa8c4df4fef949600
SHA256 dd85a7ce1af62aaf4f44492da231f31c99bb3948b00bb96cf49eb28d52e15bde
SHA512 fcfb4b84e97b5d641dd93d97cf81d0730f3e29f4a89fbb98a8d5cc52f6d8beb8c3b0b787b8e31220f0d9a677887e2bbbaac47e32c8044598f8fa523389ae702b

C:\Windows\System32\netmsg\csrss.exe

MD5 79869f0813473ce369325084336bd639
SHA1 c268bad98f7b53ae47e44799ea0a97ef840cac43
SHA256 72ef1b4c7a2bae2592db9887bd756b8f24302ce9c902735aba9327f226a9ffb9
SHA512 840469e86dc53b5c4267078586f12dca88c28c0d6f6e8602ad78ba7c6ca7d6a1183d0cba19aee53c28c8c979a086e0905a5aaf94cf50cb85ff07d87260efc46e

C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe

MD5 f6cec2c40749bf1daca6d68699c7a02b
SHA1 615e3f7b06c844b9a5c4cc1bdb31c9508b7d2acf
SHA256 d9a534a6d94b49787b49e100a7a0be9f771b8d13e0423d114a38e3f3336164b0
SHA512 ea24b7b563c09349d5055fe4d7e535c8d058b53168078a99156311ec1400fc864094f4c126737207075e2a06ba076752f51bfa8f081955357c859001f6facee0

C:\Windows\System32\fmifs\RCXC7BF.tmp

MD5 8bbddf52bbebab4711c8876040274f6f
SHA1 ddcc063bba90c2b289a02a1aafcd8b721cf57714
SHA256 c5e179d62ba64a761ac1a50c96c73a92bc5e810b61ef2e28ce5199ad4672bcb7
SHA512 cb47035f923c92439e495114eabfcfa97fc5d97519ad94430251c1f6d7307cb76e0a03cc1e88163d1fce4bafcb0f86b8eec67eaae0df5b0732513d96dbe1dfe3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 401811914b1cd4e73a154a0c72251354
SHA1 28c172374439338cb990207d0e1856a9da3b4ab5
SHA256 a37e0ed93fe9b3ec9618480a2c7c5a7b62927c2e46c60cfa2fdacf89bb6e63d5
SHA512 a09e4656d92868c3a118bc6e8339559008d11533bc3d4f31055e826f691beebdac20c3d17646f163543939fa5acea572ca4cf9a84941e92ee31c86105a37b5e1

memory/1520-115-0x000000001B430000-0x000000001B712000-memory.dmp

memory/1520-126-0x0000000002560000-0x0000000002568000-memory.dmp

memory/2008-137-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat

MD5 c4d92617f32d772464d7f4efb445a131
SHA1 037760c2aa3a4cbf69f762d45d8f65e704449631
SHA256 fcc0e723581d83d5663cec07ec2293500dcfb25e98777a3f9474d61059a7e432
SHA512 6c449155f1f9ef3dc43cd8d1efc0d2b1bcd232f6e61185ebdebbe521d57e2010954303850492d4c77a3f04a1775b4009e2f0ac0712a314a3f9a82c08d8073403

memory/1456-141-0x0000000001020000-0x0000000001266000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs

MD5 4b361db7162ee3a19cfdbe4d8554a889
SHA1 9131769e7294f9df8e4248bc33fd426470768fd3
SHA256 a0b0e8fb1849095a70d5678704b9c386e7fc4d1ab57620ca02677c244b6d8bbb
SHA512 d87bf7ce0a4c8ee9fbbafd01920b410dd42ad30fd3ccbc24706bb39c23bc0aa72d89d4533efd50e7a883b165c19fd54626f63b987f36cf337a452c170c2b2c86

C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs

MD5 5de15873e0b49be19dc3215e233a92bb
SHA1 eb1c2d2398623411ecf27a2213f0618b8301c5da
SHA256 d8c14911d2f4d09b661c98f52a5a4eebecaa7ef3466750d0896745934a6489ce
SHA512 b5a351ac9f134f61cf9d16a28d2828d31b7cc3f5eb9f5bab013e9b838ad7c23d12e37fd1929904aef9739c7a18452f5e9983141c2427f75105a8a43e81d1b431

memory/3040-152-0x0000000000270000-0x00000000002C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs

MD5 217e248ac09db2aee4a59288b9de3c94
SHA1 35a8b72f702b2ca1d26f1c5e3954a3db071b6597
SHA256 7b32000193a3f7c031413a0d6a40fc682e354b2f54a51ae61b9c202fa4a49979
SHA512 dbf743ea5ee297f3fe7ad29025b1768a2eefbbbb8dd3631ed5bbbf4b7b2f3114b80cb4c7e62b5f3bb1983d4f575d5a2fd3428306a74d3450bc717695ac6e7087

C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs

MD5 e24f09a874ce1dd0479c57976827fd7f
SHA1 4e81fecc79700f92538b7ca5114fdedcf55391cc
SHA256 ec0bbee12c437cc154e8ba19ea19db998d433aebfee84060f9229fb5f7544428
SHA512 9d0b921a345f70b18b3a99b02ebb72b7d9853425efb886a46318e9991ffe35d46c80477b94c77ffcc20a63b117bab93a83d9339ed856bedd78a1effd06918cfb

C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs

MD5 57be99fed90681eff6c13d5bcc62e22e
SHA1 db9f4be11739c196437c6922aae43396a7a150cd
SHA256 7117840ffd95470ee9b24957072ab58c42f0caa1d4a3931d12222292da84ec40
SHA512 053697a5d8adf23df776bfb988bc14ac5e275abd465d27907a22af559749aeba8d6cd18078bd0e945bd24867baa2cb60c2b846ac387503c4d9792916a387a7a6

C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs

MD5 e156c4ec27bfe79a088bf4f794222866
SHA1 a315e7bd18601cdba9b050765b0072ac7cd92565
SHA256 9450c30f4c75620e174ec6c1f1088da1c5b0f3043e35e4ad8476f060e146c516
SHA512 5756dcc41113a24bfd9bea2c9a30a6a5fa875c0aaf793fad6c1499f5aa66ef97676624226ce4fea606234c3b10bcfc6c9827007825f5eca0910b7be12b345fc1

C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs

MD5 9f4cbd89974087c2a51253d740a27cca
SHA1 e4a9870b19bdbafa10a47ff3f8b0fd78454ed672
SHA256 c47e778f164ccf6b9366ae3a44a87d77af2a2f5ea264e44c853889a8a3ec160e
SHA512 4bb50d6372060f1b57b842287579f43ca02e51de7cc5eae9ccdf4325bd282991568796309fd6c8479b656d7f82a9a3494e3f48707e6603dbc263eef7e20f996e

C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs

MD5 21d0c11e5e3ddaf088a0bffe6240cbdd
SHA1 d672b7433ee2bb00b86cf67d6cb32419c762885e
SHA256 bb322a3f7f7ba34b0620438d1765d2e815a0b7de2b4252ca1c0e09a33d992085
SHA512 4037c16b4c553994017289a41921fe69db0d9ddf3063ec2b486e5bf5f6e63975811c52924c1f54a03472ee6045a8f926ac50c990dc8e376e0ced48fe2d33b112

C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs

MD5 fe8a9074ab3bc15b180e0164acf63923
SHA1 4b830468b1f69422d86970eff1ca9cce92b2e215
SHA256 f53d4fa1fe0605443f72902990eb62ecaca6fa6d503776eecbd2e3e11510851f
SHA512 5ed8b415198aadd8d86e5d2131ca1510481144609ca687ac920a238c0a4615c4621d89e684e0b66b7229bd06401fb5be6be88ffcb165dfec9a9a31cbae5b137e

C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs

MD5 8b018b8ad854444d2cb04b074c027fd8
SHA1 00498348536cf51e29b5122ef0683012d966be1b
SHA256 b79b4f700d0c2cb5243b9ec67d37d0763a73a9e71ede90ae751fa09503dc23f0
SHA512 526710f09ae3eeac05acdcdc8d8cbb1f94a1518e19e5f22f7fbb0e389e3f587f5f2d3931edadc6bdcd40203506005be19ad1f7ed77c85aef8deb28a3f39e906a

C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs

MD5 cb4460b7005b798f875253a274b84e95
SHA1 5c34a6c6b84d94ba74d717a049ac9818df3225ff
SHA256 a709735063fd1ffd625875b3afd943244c445c4d45d52a786555bb96022bb761
SHA512 7e5638694de28bcf6296824f109c1195259a12764415c61549fa22758373dc116ef822a1c261885718f7a4123e3a1e73baa866f55fd970a02e46e1b1a9b94160

C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs

MD5 0ff4692ba272730a6e476a873c2aef1c
SHA1 2d392c0d382fb77f999d49a03b76d955df78570f
SHA256 af1ab028216c5727b6994d910d13df63b652557f9f7dd63558df36807c417ca7
SHA512 945348448c9002d11c44bb73a4c13992636356e8698c34b936f70700a7e998b03b46ce7df3cda34c66c277af872cffd03a9a6958f4a6d1f6d9cc9f55e873da7f

memory/1696-263-0x00000000005C0000-0x0000000000616000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs

MD5 95bd8089f91d4c460255d2d073345b66
SHA1 58b0a155bdf3db0e46f174239caae269732b3ba5
SHA256 3c277ef443fe66f9d9ab9f83cddd5dd9dfb1c8787d498496f14c6cf701bc7014
SHA512 09d9d76609f88babad5e535ad78660ba036a6fa3ac358e087437c741c1943ec5ac6d478f4e540bfee7af65b1eaa142706d8dc4629ef5375ecd74847497deac24

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 02:56

Reported

2024-05-31 02:59

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\Analog.Shell.Broker\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\All Users\\Adobe\\Setup\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\ProgramData\\SoftwareDistribution\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Analog.Shell.Broker\RCX58C1.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\Analog.Shell.Broker\RCX58C2.tmp C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File opened for modification C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
File created C:\Windows\System32\Analog.Shell.Broker\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
N/A N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 344 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 344 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 344 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 4724 wrote to memory of 3972 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 3972 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 4344 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4724 wrote to memory of 4344 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3972 wrote to memory of 3028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 3972 wrote to memory of 3028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 3028 wrote to memory of 4028 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 4028 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 3736 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3028 wrote to memory of 3736 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4028 wrote to memory of 1756 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 4028 wrote to memory of 1756 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 1756 wrote to memory of 3144 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1756 wrote to memory of 3144 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1756 wrote to memory of 1344 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1756 wrote to memory of 1344 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3144 wrote to memory of 452 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 3144 wrote to memory of 452 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 452 wrote to memory of 4924 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 452 wrote to memory of 4924 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 452 wrote to memory of 3528 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 452 wrote to memory of 3528 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4924 wrote to memory of 3860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 4924 wrote to memory of 3860 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 3860 wrote to memory of 4380 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3860 wrote to memory of 4380 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3860 wrote to memory of 1480 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3860 wrote to memory of 1480 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 4380 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 4380 wrote to memory of 2848 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 2848 wrote to memory of 3180 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 3180 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 4068 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2848 wrote to memory of 4068 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3180 wrote to memory of 2744 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 3180 wrote to memory of 2744 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 2744 wrote to memory of 960 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2744 wrote to memory of 960 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2744 wrote to memory of 1500 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 2744 wrote to memory of 1500 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 960 wrote to memory of 1316 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 960 wrote to memory of 1316 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 1316 wrote to memory of 632 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 632 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 1760 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 1316 wrote to memory of 1760 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 632 wrote to memory of 3340 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 632 wrote to memory of 3340 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
PID 3340 wrote to memory of 2172 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe
PID 3340 wrote to memory of 2172 N/A C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe

"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\fontdrvhost.exe'

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

"C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15512a27-1632-48ae-a87f-7e570874c52c.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a5c93ee-959c-42f3-a57e-53e721abbb06.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b90654-6ed7-49ff-bc29-ea38fef6213f.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240f518e-d3e0-467e-beed-021756eaf370.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3013c67-6628-41b2-ad42-14481e46c972.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7101fda6-6084-4a69-98fd-1c2088b9ed86.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67c9098c-4b31-4c31-b57b-dcf4eb02e9b4.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c0f184-8fd8-4273-8843-cf17d092e7f0.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b09f0430-3221-4884-8055-8dc261939e3f.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b7206b-e08c-453c-85e8-186f9e155015.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0333ab8-9ed6-409a-aa0b-5f9920815e51.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffef8f49-f941-469f-97bc-8402dde0e9ea.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57983995-7fc2-40b1-aa84-58185cc552be.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7229e023-8505-4b34-9f70-c2f644b6bede.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68bb6dc3-ea4f-4c11-852d-8174a1605668.vbs"

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21847678-6bd4-4321-bcee-c386ebeee3e1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f1db2b-13b0-4ed0-83ad-33a51f87270c.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 srv174492.hoster-test.ru udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/344-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

memory/344-1-0x0000000000770000-0x00000000009B6000-memory.dmp

memory/344-2-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

memory/344-3-0x0000000002A10000-0x0000000002A1C000-memory.dmp

memory/344-4-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/344-5-0x0000000002A30000-0x0000000002A86000-memory.dmp

memory/344-6-0x0000000002A90000-0x0000000002A98000-memory.dmp

memory/344-8-0x0000000002BC0000-0x0000000002BCA000-memory.dmp

memory/344-7-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

memory/344-9-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

memory/344-10-0x000000001B5D0000-0x000000001B5DA000-memory.dmp

memory/344-11-0x000000001B5E0000-0x000000001B5EC000-memory.dmp

memory/344-12-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

memory/344-13-0x000000001B600000-0x000000001B60A000-memory.dmp

C:\PerfLogs\fontdrvhost.exe

MD5 8a47ebacc81a5930588692128bc229f8
SHA1 3323a7c3376d19d5db6decb7c0fe2747848f9725
SHA256 ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
SHA512 d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14

C:\ProgramData\SoftwareDistribution\upfc.exe

MD5 890c6979f506268ec4cb03d22e323b54
SHA1 dc0e3fd26dc90a0cf9f303634e3b04321f81d2c5
SHA256 4d6c0af64ff09fbc2e869a7f78291396de04b08b41f166311cc8cc8222779ab1
SHA512 7402617bd6a64c778f22c663cef462a306459f9a28e87f9b543d8960c97fd8258d40a64f5489457c9097afbbe3634436b2eeb3dd92f73c805d88d300b32815f6

memory/3096-142-0x000001EF6F8B0000-0x000001EF6F8D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogy10xi.aa1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/344-203-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/4724-217-0x000000001AFE0000-0x000000001B036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs

MD5 725e8c09310641092c830ac46617df5e
SHA1 de4df0b4d84c9fc3d7094b09422f2853f5d3f923
SHA256 48a6b2d382f4165077f7918957d8878dab737e1d4aa5dfe8bcb27b4be7ce172b
SHA512 39749ad2cc56dce3dee0d2e023e2c7731f822be89f3e32c9179502e156a1b62153d158140c0c9b9629f8a97f4e8e0e8fac96e39596e792438d5d1903d7af70ab

C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs

MD5 335cf549b99251e92119cb0e197ebac8
SHA1 b465bae1e29ac519998f9f921102e7bcf7414682
SHA256 c9d491a34273e31af4b690b5e76e7e0cfc592f9793849954e1b1ac10cb45ede5
SHA512 f312e56057b79b86e8a7c50ae5769305c58116146b5203659e0b8d69dbc06bd170c822b47d7a5a1bf615f7dd876579e0a963fbe2492fb943c51fe285ccf1dc1c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3028-230-0x0000000002DD0000-0x0000000002E26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs

MD5 b28d1c02d33eed47d3c9ce0cea6878f0
SHA1 ffdf793160e4c20e274e5cab9e9656e07fb310ee
SHA256 a726408c3a645cf2eb5b9ad8bc0701b2fbf72eb668a1e49676dc8272bd8e12cc
SHA512 bb49d75054dfeb4e70940fe178524a3f6d76b78a630d71b1af10c427f542267c0ac4f8b49488c1a3c6d085eb00a5e389538b91ae76cf243f862c7a6546d6f769

C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs

MD5 a7378dded00637f3f08a8f1393afe3af
SHA1 5f2818c64815c4720c079c25938e21391a4a268e
SHA256 2e07edcf3499270d85453ca03618c7087310689981e26694a465e7dc03d1e395
SHA512 1f955ee0ad13c35382786470cf70f127b88370e261f3b0376f542cb89091c65b1f5ff12da178e094e1d28ceec13be5af6374837adbb6b89b632706190468d1a7

memory/452-253-0x000000001BDC0000-0x000000001BE16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs

MD5 67016f70b2fd0c5c4ab8932ef4411b67
SHA1 a93d02dc81809d9bdd236368725e8943ed6882dd
SHA256 ed25245c0f29f97a888d1375c2f5dc2e9815bc3819f308a60b886acdc1e31b82
SHA512 1c9a38e33de15d04428d0b092d32b6ba97fd05dca18d8ad27108cccf155c5bfd26efa6d7d1c370701ecdcbc108aabf0034e2823de05cf03d1574719a46574896

C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs

MD5 80969060b621e75029d471598e533045
SHA1 462f00f9bb2a3e6e36d2f5488a0e6d5192bf617e
SHA256 907d6a3b485fd535c92adcec9e02c409f56c7d3ab39ea6f1e1537345762a04d6
SHA512 83c8b43659ef138d54c5fc9e42adbc8a8e1a480232ca36583f748442c0294ac694af3715c15dcf2040ff7841ba126a1db72402c63498bfbad2639d2c0143e956

C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs

MD5 81f1bd5511e61eb83b9c375d04d3b758
SHA1 e63154b79b4bef06f1d87daba1170d526660e644
SHA256 c6ef3ed8734341b8edd80702949f5740ee4490797cb5af0eb3cad868856dd076
SHA512 5895f4e0f40b843a596fa757f29f1247fe2c05abf2a9013c04ad5b9280545f375723f1d6ed3fcdf38315fafa5fdaac8b34558a78beebbc499ccdf6a6db5c8e5c

C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs

MD5 1184c517a7d1961ce9ffa679eddbb8d4
SHA1 51f8ca6d851bb67f18a9c05ea44791469a7e42e6
SHA256 75101ecf724b56f305a4b3f296fa44f6e940872550726f4a13e52425f2f81b22
SHA512 a0626ea77c4ee469c90be93584c71d0311a05e30d699febd0319dd9e2be3b153347a58e36121a59b97ff65594422c4a226776aeb0f86935b5c330e1ed84f3c48

memory/1316-298-0x00000000017C0000-0x0000000001816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs

MD5 705b12ef0604a9384452dc0d413c0525
SHA1 616eef306088a7bad188fcc153c51576412345ea
SHA256 37934fb2c60d55d813ba968578071147b49a22278e5bf2cc749d6df76a8de7ca
SHA512 9ad40281e2b3a434ba85eaaa7a71c5bcb7a14589382601f2106f570288e9a42c7b318272968a8c63296ff5d0e1471f790397cdfbfcee2993c4d76c4e580852b9

memory/3340-310-0x0000000002C90000-0x0000000002CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs

MD5 9b8999a13a2fbb8e4950d5ec378f0102
SHA1 b6fa39fe19704fdca0088c5d9c61788d8cfb49e7
SHA256 6892841c905fd8cf535274be953b4ad60224d3bd4928b057931786a14f33e6e3
SHA512 b740b2d7fd10f0b6fd0ceff34518c17a26388829ba5bab17250f65a7b493e2390c6a4c95e94d1ac4a4b00103f3ec644da2e74c9f52a99a7b0f7dabac8b2ba1b3

C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs

MD5 08b39de6cda89fddd9c2dc11477b22a5
SHA1 ecd87e93a38f79aa678a893e7b19ded7d28bb73d
SHA256 dc5b809ce8f3333da5a4d18b71ccef31b43924effeacd63fb5af0687489e4dc2
SHA512 e7d65687dc9ecd3a9a02dd9dacaf4aba8387bc8862cbcb2eb723834bef9057154a9faa2bee3addf3d0f04c176bf907922b4cfb05678c50c6001c78261d465752

C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs

MD5 225f1431f16e9d9b76d6903c4b1afd7c
SHA1 85856633ec0e8b95aa3caf78a17222393d5adefb
SHA256 a1054920614eac0dbc8838099998041e133f2754243de9e6213690b982024eee
SHA512 8a212d1a03f3a021b368ca1d1dfff6e76dc2018875d05b32d65c94440d5698b71e23bb00ae3c05f19eacffcf577a9184b89e0bd719924b5c91522ab536008bc2

memory/548-344-0x0000000000E60000-0x0000000000EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs

MD5 bb1b34d9c1ca05140a24b6eca1e13789
SHA1 d6bbd10a38a92bda571e1f282ba480f9cffcb0bc
SHA256 dc702559beb57889539dc59a4cc1b796e3c7499a2fa22dc68cd198ce43a06b95
SHA512 70d34761f62ddcf209d47bc068f8a144be3708b05234a2f211b255372ef844b6f676954a84d2db77426ff0fdac3bad5cd5ba0ea3b29b6acfec3a9c2058db03cf

C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs

MD5 4951fa61a8acd273f00397cf211d6b1a
SHA1 638628c37edc6862a6bda76c8a28c1f60edc1318
SHA256 2db1c21e2380108512285a1edff99fc2d14f3ce886fa72a84a11d42bf1348277
SHA512 0ec45d8e8ee7345c81e4a46c93af03e1e89781d8308e8358b6e8a5ff9ad0c905afb9f6232de4f3a707e90ea7487298fe5f30098ab74c41b2cfef5ae295303865

memory/3708-367-0x000000001B580000-0x000000001B5D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs

MD5 fd5666f2c477e4b1e5db0f7409a85e91
SHA1 a6bc1301706c1140015a614cb438431f0a633e90
SHA256 c713d4fcaa4e3c2abd359d77767ad8bb2c2ca709894a5b27130e947d052a0ccc
SHA512 b38b5e1d2a7eda740c0ea0a70942a0c73b90bbd4ea1c026b43ff7306273f3f72f228a9bbbfa8aa1f10b59b1b008cf44024e7a8ca97ac749b55500b27c7347732