Analysis Overview
SHA256
ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908
Threat Level: Known bad
The file ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DCRat payload
Process spawned unexpected child process
DcRat
Detects executables packed with SmartAssembly
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 02:56
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 02:56
Reported
2024-05-31 02:59
Platform
win7-20240221-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| File created | C:\Windows\System32\vga\dwm.exe | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| File created | C:\Windows\System32\vga\6cb0b6c459d5d3 | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
| N/A | N/A | C:\Windows\System32\iassvcs\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\PerfLogs\\Admin\\lsass.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\iassvcs\\spoolsv.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\smss.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\fmifs\\services.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\vga\\dwm.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\netmsg\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
Drops file in System32 directory
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\vga\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\netmsg\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\iassvcs\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\fmifs\services.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\vga\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\netmsg\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\iassvcs\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fmifs\services.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\iassvcs\spoolsv.exe
"C:\Windows\System32\iassvcs\spoolsv.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa24909-e1f0-424b-9ffa-f47c7a818ec8.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\730f488e-633f-431e-a67e-c6d1d1724d72.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6310bd7-df60-4b26-b965-586cac677826.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546b53b3-d3fb-410d-bde4-f2e6013021b3.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3a8f9b-f414-400d-897e-0e3f8b0ff020.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\657353cb-fe0d-4de0-8972-e18565c3d4b0.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e56b1e29-b58b-4187-bb7e-63e18a08ec80.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a2e2bd4-0db1-46de-a56f-cf90b66c524c.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ed16267-7572-4476-a624-97c44b236cd8.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2377991-683d-4e97-aaa2-854cc1ec4d2f.vbs"
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\iassvcs\spoolsv.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f6f2e6-30dd-4812-b3ef-00c47ccf9d10.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
Files
memory/2008-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp
memory/2008-1-0x0000000001260000-0x00000000014A6000-memory.dmp
memory/2008-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
memory/2008-3-0x00000000004D0000-0x00000000004DC000-memory.dmp
memory/2008-4-0x00000000004E0000-0x00000000004F0000-memory.dmp
memory/2008-5-0x0000000000B00000-0x0000000000B56000-memory.dmp
memory/2008-6-0x00000000004F0000-0x00000000004F8000-memory.dmp
memory/2008-7-0x0000000000500000-0x000000000050A000-memory.dmp
memory/2008-8-0x0000000000720000-0x000000000072A000-memory.dmp
memory/2008-9-0x0000000000730000-0x000000000073C000-memory.dmp
memory/2008-10-0x0000000000CD0000-0x0000000000CDA000-memory.dmp
memory/2008-11-0x0000000000CE0000-0x0000000000CEC000-memory.dmp
memory/2008-12-0x0000000000740000-0x0000000000748000-memory.dmp
memory/2008-13-0x0000000000B50000-0x0000000000B5A000-memory.dmp
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe
| MD5 | 8a47ebacc81a5930588692128bc229f8 |
| SHA1 | 3323a7c3376d19d5db6decb7c0fe2747848f9725 |
| SHA256 | ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908 |
| SHA512 | d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14 |
C:\Windows\System32\vga\RCXBA5D.tmp
| MD5 | 4fde70524de984333863598880cb9cc7 |
| SHA1 | 9917b609b02886d7774884dfa8c4df4fef949600 |
| SHA256 | dd85a7ce1af62aaf4f44492da231f31c99bb3948b00bb96cf49eb28d52e15bde |
| SHA512 | fcfb4b84e97b5d641dd93d97cf81d0730f3e29f4a89fbb98a8d5cc52f6d8beb8c3b0b787b8e31220f0d9a677887e2bbbaac47e32c8044598f8fa523389ae702b |
C:\Windows\System32\netmsg\csrss.exe
| MD5 | 79869f0813473ce369325084336bd639 |
| SHA1 | c268bad98f7b53ae47e44799ea0a97ef840cac43 |
| SHA256 | 72ef1b4c7a2bae2592db9887bd756b8f24302ce9c902735aba9327f226a9ffb9 |
| SHA512 | 840469e86dc53b5c4267078586f12dca88c28c0d6f6e8602ad78ba7c6ca7d6a1183d0cba19aee53c28c8c979a086e0905a5aaf94cf50cb85ff07d87260efc46e |
C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\smss.exe
| MD5 | f6cec2c40749bf1daca6d68699c7a02b |
| SHA1 | 615e3f7b06c844b9a5c4cc1bdb31c9508b7d2acf |
| SHA256 | d9a534a6d94b49787b49e100a7a0be9f771b8d13e0423d114a38e3f3336164b0 |
| SHA512 | ea24b7b563c09349d5055fe4d7e535c8d058b53168078a99156311ec1400fc864094f4c126737207075e2a06ba076752f51bfa8f081955357c859001f6facee0 |
C:\Windows\System32\fmifs\RCXC7BF.tmp
| MD5 | 8bbddf52bbebab4711c8876040274f6f |
| SHA1 | ddcc063bba90c2b289a02a1aafcd8b721cf57714 |
| SHA256 | c5e179d62ba64a761ac1a50c96c73a92bc5e810b61ef2e28ce5199ad4672bcb7 |
| SHA512 | cb47035f923c92439e495114eabfcfa97fc5d97519ad94430251c1f6d7307cb76e0a03cc1e88163d1fce4bafcb0f86b8eec67eaae0df5b0732513d96dbe1dfe3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 401811914b1cd4e73a154a0c72251354 |
| SHA1 | 28c172374439338cb990207d0e1856a9da3b4ab5 |
| SHA256 | a37e0ed93fe9b3ec9618480a2c7c5a7b62927c2e46c60cfa2fdacf89bb6e63d5 |
| SHA512 | a09e4656d92868c3a118bc6e8339559008d11533bc3d4f31055e826f691beebdac20c3d17646f163543939fa5acea572ca4cf9a84941e92ee31c86105a37b5e1 |
memory/1520-115-0x000000001B430000-0x000000001B712000-memory.dmp
memory/1520-126-0x0000000002560000-0x0000000002568000-memory.dmp
memory/2008-137-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TJQczTzsHs.bat
| MD5 | c4d92617f32d772464d7f4efb445a131 |
| SHA1 | 037760c2aa3a4cbf69f762d45d8f65e704449631 |
| SHA256 | fcc0e723581d83d5663cec07ec2293500dcfb25e98777a3f9474d61059a7e432 |
| SHA512 | 6c449155f1f9ef3dc43cd8d1efc0d2b1bcd232f6e61185ebdebbe521d57e2010954303850492d4c77a3f04a1775b4009e2f0ac0712a314a3f9a82c08d8073403 |
memory/1456-141-0x0000000001020000-0x0000000001266000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94c39817-8bf7-49c7-a140-4a32fc2034e0.vbs
| MD5 | 4b361db7162ee3a19cfdbe4d8554a889 |
| SHA1 | 9131769e7294f9df8e4248bc33fd426470768fd3 |
| SHA256 | a0b0e8fb1849095a70d5678704b9c386e7fc4d1ab57620ca02677c244b6d8bbb |
| SHA512 | d87bf7ce0a4c8ee9fbbafd01920b410dd42ad30fd3ccbc24706bb39c23bc0aa72d89d4533efd50e7a883b165c19fd54626f63b987f36cf337a452c170c2b2c86 |
C:\Users\Admin\AppData\Local\Temp\b66bd392-6af4-467a-b36e-e5d7aa790e83.vbs
| MD5 | 5de15873e0b49be19dc3215e233a92bb |
| SHA1 | eb1c2d2398623411ecf27a2213f0618b8301c5da |
| SHA256 | d8c14911d2f4d09b661c98f52a5a4eebecaa7ef3466750d0896745934a6489ce |
| SHA512 | b5a351ac9f134f61cf9d16a28d2828d31b7cc3f5eb9f5bab013e9b838ad7c23d12e37fd1929904aef9739c7a18452f5e9983141c2427f75105a8a43e81d1b431 |
memory/3040-152-0x0000000000270000-0x00000000002C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10494dc4-cf11-4bda-9f50-84153b63f7a0.vbs
| MD5 | 217e248ac09db2aee4a59288b9de3c94 |
| SHA1 | 35a8b72f702b2ca1d26f1c5e3954a3db071b6597 |
| SHA256 | 7b32000193a3f7c031413a0d6a40fc682e354b2f54a51ae61b9c202fa4a49979 |
| SHA512 | dbf743ea5ee297f3fe7ad29025b1768a2eefbbbb8dd3631ed5bbbf4b7b2f3114b80cb4c7e62b5f3bb1983d4f575d5a2fd3428306a74d3450bc717695ac6e7087 |
C:\Users\Admin\AppData\Local\Temp\d76bb401-4eb1-4e96-ad8e-b4c3fb8fe8ff.vbs
| MD5 | e24f09a874ce1dd0479c57976827fd7f |
| SHA1 | 4e81fecc79700f92538b7ca5114fdedcf55391cc |
| SHA256 | ec0bbee12c437cc154e8ba19ea19db998d433aebfee84060f9229fb5f7544428 |
| SHA512 | 9d0b921a345f70b18b3a99b02ebb72b7d9853425efb886a46318e9991ffe35d46c80477b94c77ffcc20a63b117bab93a83d9339ed856bedd78a1effd06918cfb |
C:\Users\Admin\AppData\Local\Temp\f4a738a4-0035-4bfc-9669-a0371a26562f.vbs
| MD5 | 57be99fed90681eff6c13d5bcc62e22e |
| SHA1 | db9f4be11739c196437c6922aae43396a7a150cd |
| SHA256 | 7117840ffd95470ee9b24957072ab58c42f0caa1d4a3931d12222292da84ec40 |
| SHA512 | 053697a5d8adf23df776bfb988bc14ac5e275abd465d27907a22af559749aeba8d6cd18078bd0e945bd24867baa2cb60c2b846ac387503c4d9792916a387a7a6 |
C:\Users\Admin\AppData\Local\Temp\e9871421-84ba-4ba6-a224-392bae4d9027.vbs
| MD5 | e156c4ec27bfe79a088bf4f794222866 |
| SHA1 | a315e7bd18601cdba9b050765b0072ac7cd92565 |
| SHA256 | 9450c30f4c75620e174ec6c1f1088da1c5b0f3043e35e4ad8476f060e146c516 |
| SHA512 | 5756dcc41113a24bfd9bea2c9a30a6a5fa875c0aaf793fad6c1499f5aa66ef97676624226ce4fea606234c3b10bcfc6c9827007825f5eca0910b7be12b345fc1 |
C:\Users\Admin\AppData\Local\Temp\1744ce77-f007-40a6-8d8e-5a0cbfd12e63.vbs
| MD5 | 9f4cbd89974087c2a51253d740a27cca |
| SHA1 | e4a9870b19bdbafa10a47ff3f8b0fd78454ed672 |
| SHA256 | c47e778f164ccf6b9366ae3a44a87d77af2a2f5ea264e44c853889a8a3ec160e |
| SHA512 | 4bb50d6372060f1b57b842287579f43ca02e51de7cc5eae9ccdf4325bd282991568796309fd6c8479b656d7f82a9a3494e3f48707e6603dbc263eef7e20f996e |
C:\Users\Admin\AppData\Local\Temp\0c21170f-3899-492e-bee3-a05b951dac33.vbs
| MD5 | 21d0c11e5e3ddaf088a0bffe6240cbdd |
| SHA1 | d672b7433ee2bb00b86cf67d6cb32419c762885e |
| SHA256 | bb322a3f7f7ba34b0620438d1765d2e815a0b7de2b4252ca1c0e09a33d992085 |
| SHA512 | 4037c16b4c553994017289a41921fe69db0d9ddf3063ec2b486e5bf5f6e63975811c52924c1f54a03472ee6045a8f926ac50c990dc8e376e0ced48fe2d33b112 |
C:\Users\Admin\AppData\Local\Temp\9d22a1e4-89fb-4d4c-82fd-7d0d9615baae.vbs
| MD5 | fe8a9074ab3bc15b180e0164acf63923 |
| SHA1 | 4b830468b1f69422d86970eff1ca9cce92b2e215 |
| SHA256 | f53d4fa1fe0605443f72902990eb62ecaca6fa6d503776eecbd2e3e11510851f |
| SHA512 | 5ed8b415198aadd8d86e5d2131ca1510481144609ca687ac920a238c0a4615c4621d89e684e0b66b7229bd06401fb5be6be88ffcb165dfec9a9a31cbae5b137e |
C:\Users\Admin\AppData\Local\Temp\cc6c5bb4-91ec-47a0-9d09-b6431d5463a0.vbs
| MD5 | 8b018b8ad854444d2cb04b074c027fd8 |
| SHA1 | 00498348536cf51e29b5122ef0683012d966be1b |
| SHA256 | b79b4f700d0c2cb5243b9ec67d37d0763a73a9e71ede90ae751fa09503dc23f0 |
| SHA512 | 526710f09ae3eeac05acdcdc8d8cbb1f94a1518e19e5f22f7fbb0e389e3f587f5f2d3931edadc6bdcd40203506005be19ad1f7ed77c85aef8deb28a3f39e906a |
C:\Users\Admin\AppData\Local\Temp\1218c6ed-6286-4b65-bde1-81f5a0bfb638.vbs
| MD5 | cb4460b7005b798f875253a274b84e95 |
| SHA1 | 5c34a6c6b84d94ba74d717a049ac9818df3225ff |
| SHA256 | a709735063fd1ffd625875b3afd943244c445c4d45d52a786555bb96022bb761 |
| SHA512 | 7e5638694de28bcf6296824f109c1195259a12764415c61549fa22758373dc116ef822a1c261885718f7a4123e3a1e73baa866f55fd970a02e46e1b1a9b94160 |
C:\Users\Admin\AppData\Local\Temp\476dc567-20bd-40a4-8743-88743999dd69.vbs
| MD5 | 0ff4692ba272730a6e476a873c2aef1c |
| SHA1 | 2d392c0d382fb77f999d49a03b76d955df78570f |
| SHA256 | af1ab028216c5727b6994d910d13df63b652557f9f7dd63558df36807c417ca7 |
| SHA512 | 945348448c9002d11c44bb73a4c13992636356e8698c34b936f70700a7e998b03b46ce7df3cda34c66c277af872cffd03a9a6958f4a6d1f6d9cc9f55e873da7f |
memory/1696-263-0x00000000005C0000-0x0000000000616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\132338d2-7d49-4246-9cc6-7f694cb163d3.vbs
| MD5 | 95bd8089f91d4c460255d2d073345b66 |
| SHA1 | 58b0a155bdf3db0e46f174239caae269732b3ba5 |
| SHA256 | 3c277ef443fe66f9d9ab9f83cddd5dd9dfb1c8787d498496f14c6cf701bc7014 |
| SHA512 | 09d9d76609f88babad5e535ad78660ba036a6fa3ac358e087437c741c1943ec5ac6d478f4e540bfee7af65b1eaa142706d8dc4629ef5375ecd74847497deac24 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 02:56
Reported
2024-05-31 02:59
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\Analog.Shell.Broker\\SppExtComObj.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\All Users\\Adobe\\Setup\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\ProgramData\\SoftwareDistribution\\upfc.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PerfLogs\\fontdrvhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Analog.Shell.Broker\RCX58C1.tmp | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| File opened for modification | C:\Windows\System32\Analog.Shell.Broker\RCX58C2.tmp | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| File created | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| File opened for modification | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| File created | C:\Windows\System32\Analog.Shell.Broker\e1ef82546f0b02 | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe
"C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PerfLogs\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\SoftwareDistribution\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\fontdrvhost.exe'
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
"C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15512a27-1632-48ae-a87f-7e570874c52c.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a5c93ee-959c-42f3-a57e-53e721abbb06.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60b90654-6ed7-49ff-bc29-ea38fef6213f.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\240f518e-d3e0-467e-beed-021756eaf370.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3013c67-6628-41b2-ad42-14481e46c972.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7101fda6-6084-4a69-98fd-1c2088b9ed86.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67c9098c-4b31-4c31-b57b-dcf4eb02e9b4.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48c0f184-8fd8-4273-8843-cf17d092e7f0.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b09f0430-3221-4884-8055-8dc261939e3f.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08b7206b-e08c-453c-85e8-186f9e155015.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0333ab8-9ed6-409a-aa0b-5f9920815e51.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffef8f49-f941-469f-97bc-8402dde0e9ea.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57983995-7fc2-40b1-aa84-58185cc552be.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7229e023-8505-4b34-9f70-c2f644b6bede.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68bb6dc3-ea4f-4c11-852d-8174a1605668.vbs"
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\Analog.Shell.Broker\SppExtComObj.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21847678-6bd4-4321-bcee-c386ebeee3e1.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6f1db2b-13b0-4ed0-83ad-33a51f87270c.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | srv174492.hoster-test.ru | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/344-0-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp
memory/344-1-0x0000000000770000-0x00000000009B6000-memory.dmp
memory/344-2-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
memory/344-3-0x0000000002A10000-0x0000000002A1C000-memory.dmp
memory/344-4-0x0000000002A20000-0x0000000002A30000-memory.dmp
memory/344-5-0x0000000002A30000-0x0000000002A86000-memory.dmp
memory/344-6-0x0000000002A90000-0x0000000002A98000-memory.dmp
memory/344-8-0x0000000002BC0000-0x0000000002BCA000-memory.dmp
memory/344-7-0x0000000002BB0000-0x0000000002BBA000-memory.dmp
memory/344-9-0x0000000002BD0000-0x0000000002BDC000-memory.dmp
memory/344-10-0x000000001B5D0000-0x000000001B5DA000-memory.dmp
memory/344-11-0x000000001B5E0000-0x000000001B5EC000-memory.dmp
memory/344-12-0x000000001B5F0000-0x000000001B5F8000-memory.dmp
memory/344-13-0x000000001B600000-0x000000001B60A000-memory.dmp
C:\PerfLogs\fontdrvhost.exe
| MD5 | 8a47ebacc81a5930588692128bc229f8 |
| SHA1 | 3323a7c3376d19d5db6decb7c0fe2747848f9725 |
| SHA256 | ca5977caf718800b7ee0b7cff3825ee4e40c38432eb88ab04f6b5f40b67ad908 |
| SHA512 | d2c12419b5b78570f723137f768199cdd2dbf78456d260965bba037646ab2a569acac4da6a2bdcaa80fb6f6bb0ef1892675894a0a2ea760fdb5f322d935d4e14 |
C:\ProgramData\SoftwareDistribution\upfc.exe
| MD5 | 890c6979f506268ec4cb03d22e323b54 |
| SHA1 | dc0e3fd26dc90a0cf9f303634e3b04321f81d2c5 |
| SHA256 | 4d6c0af64ff09fbc2e869a7f78291396de04b08b41f166311cc8cc8222779ab1 |
| SHA512 | 7402617bd6a64c778f22c663cef462a306459f9a28e87f9b543d8960c97fd8258d40a64f5489457c9097afbbe3634436b2eeb3dd92f73c805d88d300b32815f6 |
memory/3096-142-0x000001EF6F8B0000-0x000001EF6F8D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogy10xi.aa1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/344-203-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/4724-217-0x000000001AFE0000-0x000000001B036000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0351f545-5ef5-438e-976e-8638c387e22b.vbs
| MD5 | 725e8c09310641092c830ac46617df5e |
| SHA1 | de4df0b4d84c9fc3d7094b09422f2853f5d3f923 |
| SHA256 | 48a6b2d382f4165077f7918957d8878dab737e1d4aa5dfe8bcb27b4be7ce172b |
| SHA512 | 39749ad2cc56dce3dee0d2e023e2c7731f822be89f3e32c9179502e156a1b62153d158140c0c9b9629f8a97f4e8e0e8fac96e39596e792438d5d1903d7af70ab |
C:\Users\Admin\AppData\Local\Temp\73d0f563-2cab-4691-b7b6-8a5373885f38.vbs
| MD5 | 335cf549b99251e92119cb0e197ebac8 |
| SHA1 | b465bae1e29ac519998f9f921102e7bcf7414682 |
| SHA256 | c9d491a34273e31af4b690b5e76e7e0cfc592f9793849954e1b1ac10cb45ede5 |
| SHA512 | f312e56057b79b86e8a7c50ae5769305c58116146b5203659e0b8d69dbc06bd170c822b47d7a5a1bf615f7dd876579e0a963fbe2492fb943c51fe285ccf1dc1c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/3028-230-0x0000000002DD0000-0x0000000002E26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ff9fc68a-5537-4993-87c3-c1414412a145.vbs
| MD5 | b28d1c02d33eed47d3c9ce0cea6878f0 |
| SHA1 | ffdf793160e4c20e274e5cab9e9656e07fb310ee |
| SHA256 | a726408c3a645cf2eb5b9ad8bc0701b2fbf72eb668a1e49676dc8272bd8e12cc |
| SHA512 | bb49d75054dfeb4e70940fe178524a3f6d76b78a630d71b1af10c427f542267c0ac4f8b49488c1a3c6d085eb00a5e389538b91ae76cf243f862c7a6546d6f769 |
C:\Users\Admin\AppData\Local\Temp\8e99529d-7ead-4eb5-a02b-ccfbbb331a62.vbs
| MD5 | a7378dded00637f3f08a8f1393afe3af |
| SHA1 | 5f2818c64815c4720c079c25938e21391a4a268e |
| SHA256 | 2e07edcf3499270d85453ca03618c7087310689981e26694a465e7dc03d1e395 |
| SHA512 | 1f955ee0ad13c35382786470cf70f127b88370e261f3b0376f542cb89091c65b1f5ff12da178e094e1d28ceec13be5af6374837adbb6b89b632706190468d1a7 |
memory/452-253-0x000000001BDC0000-0x000000001BE16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6d4435c6-643b-44bb-a47d-94185b57422e.vbs
| MD5 | 67016f70b2fd0c5c4ab8932ef4411b67 |
| SHA1 | a93d02dc81809d9bdd236368725e8943ed6882dd |
| SHA256 | ed25245c0f29f97a888d1375c2f5dc2e9815bc3819f308a60b886acdc1e31b82 |
| SHA512 | 1c9a38e33de15d04428d0b092d32b6ba97fd05dca18d8ad27108cccf155c5bfd26efa6d7d1c370701ecdcbc108aabf0034e2823de05cf03d1574719a46574896 |
C:\Users\Admin\AppData\Local\Temp\f7bd1255-7b10-47bb-a3ef-1344ec7ada48.vbs
| MD5 | 80969060b621e75029d471598e533045 |
| SHA1 | 462f00f9bb2a3e6e36d2f5488a0e6d5192bf617e |
| SHA256 | 907d6a3b485fd535c92adcec9e02c409f56c7d3ab39ea6f1e1537345762a04d6 |
| SHA512 | 83c8b43659ef138d54c5fc9e42adbc8a8e1a480232ca36583f748442c0294ac694af3715c15dcf2040ff7841ba126a1db72402c63498bfbad2639d2c0143e956 |
C:\Users\Admin\AppData\Local\Temp\ad6c1669-108d-46c5-89ad-57294091ce76.vbs
| MD5 | 81f1bd5511e61eb83b9c375d04d3b758 |
| SHA1 | e63154b79b4bef06f1d87daba1170d526660e644 |
| SHA256 | c6ef3ed8734341b8edd80702949f5740ee4490797cb5af0eb3cad868856dd076 |
| SHA512 | 5895f4e0f40b843a596fa757f29f1247fe2c05abf2a9013c04ad5b9280545f375723f1d6ed3fcdf38315fafa5fdaac8b34558a78beebbc499ccdf6a6db5c8e5c |
C:\Users\Admin\AppData\Local\Temp\633ca69f-240a-44d9-8f61-2eae9c2d8ef0.vbs
| MD5 | 1184c517a7d1961ce9ffa679eddbb8d4 |
| SHA1 | 51f8ca6d851bb67f18a9c05ea44791469a7e42e6 |
| SHA256 | 75101ecf724b56f305a4b3f296fa44f6e940872550726f4a13e52425f2f81b22 |
| SHA512 | a0626ea77c4ee469c90be93584c71d0311a05e30d699febd0319dd9e2be3b153347a58e36121a59b97ff65594422c4a226776aeb0f86935b5c330e1ed84f3c48 |
memory/1316-298-0x00000000017C0000-0x0000000001816000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d8b98cd4-78d3-4b62-be68-655e618f64f5.vbs
| MD5 | 705b12ef0604a9384452dc0d413c0525 |
| SHA1 | 616eef306088a7bad188fcc153c51576412345ea |
| SHA256 | 37934fb2c60d55d813ba968578071147b49a22278e5bf2cc749d6df76a8de7ca |
| SHA512 | 9ad40281e2b3a434ba85eaaa7a71c5bcb7a14589382601f2106f570288e9a42c7b318272968a8c63296ff5d0e1471f790397cdfbfcee2993c4d76c4e580852b9 |
memory/3340-310-0x0000000002C90000-0x0000000002CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1aefdea1-bd15-48ce-8c94-e03ed473b990.vbs
| MD5 | 9b8999a13a2fbb8e4950d5ec378f0102 |
| SHA1 | b6fa39fe19704fdca0088c5d9c61788d8cfb49e7 |
| SHA256 | 6892841c905fd8cf535274be953b4ad60224d3bd4928b057931786a14f33e6e3 |
| SHA512 | b740b2d7fd10f0b6fd0ceff34518c17a26388829ba5bab17250f65a7b493e2390c6a4c95e94d1ac4a4b00103f3ec644da2e74c9f52a99a7b0f7dabac8b2ba1b3 |
C:\Users\Admin\AppData\Local\Temp\62224a12-2b17-4ad6-ac8a-773cb2691eac.vbs
| MD5 | 08b39de6cda89fddd9c2dc11477b22a5 |
| SHA1 | ecd87e93a38f79aa678a893e7b19ded7d28bb73d |
| SHA256 | dc5b809ce8f3333da5a4d18b71ccef31b43924effeacd63fb5af0687489e4dc2 |
| SHA512 | e7d65687dc9ecd3a9a02dd9dacaf4aba8387bc8862cbcb2eb723834bef9057154a9faa2bee3addf3d0f04c176bf907922b4cfb05678c50c6001c78261d465752 |
C:\Users\Admin\AppData\Local\Temp\bf5a918c-536d-4481-b80b-77748e7827bc.vbs
| MD5 | 225f1431f16e9d9b76d6903c4b1afd7c |
| SHA1 | 85856633ec0e8b95aa3caf78a17222393d5adefb |
| SHA256 | a1054920614eac0dbc8838099998041e133f2754243de9e6213690b982024eee |
| SHA512 | 8a212d1a03f3a021b368ca1d1dfff6e76dc2018875d05b32d65c94440d5698b71e23bb00ae3c05f19eacffcf577a9184b89e0bd719924b5c91522ab536008bc2 |
memory/548-344-0x0000000000E60000-0x0000000000EB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8fb53dd9-66c4-4c72-9f8a-76b6d158963f.vbs
| MD5 | bb1b34d9c1ca05140a24b6eca1e13789 |
| SHA1 | d6bbd10a38a92bda571e1f282ba480f9cffcb0bc |
| SHA256 | dc702559beb57889539dc59a4cc1b796e3c7499a2fa22dc68cd198ce43a06b95 |
| SHA512 | 70d34761f62ddcf209d47bc068f8a144be3708b05234a2f211b255372ef844b6f676954a84d2db77426ff0fdac3bad5cd5ba0ea3b29b6acfec3a9c2058db03cf |
C:\Users\Admin\AppData\Local\Temp\40bbc39e-80cd-43b8-b761-8cc84f6fbf0e.vbs
| MD5 | 4951fa61a8acd273f00397cf211d6b1a |
| SHA1 | 638628c37edc6862a6bda76c8a28c1f60edc1318 |
| SHA256 | 2db1c21e2380108512285a1edff99fc2d14f3ce886fa72a84a11d42bf1348277 |
| SHA512 | 0ec45d8e8ee7345c81e4a46c93af03e1e89781d8308e8358b6e8a5ff9ad0c905afb9f6232de4f3a707e90ea7487298fe5f30098ab74c41b2cfef5ae295303865 |
memory/3708-367-0x000000001B580000-0x000000001B5D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f9ac3e6b-b6ef-47a4-aa9a-030aac171292.vbs
| MD5 | fd5666f2c477e4b1e5db0f7409a85e91 |
| SHA1 | a6bc1301706c1140015a614cb438431f0a633e90 |
| SHA256 | c713d4fcaa4e3c2abd359d77767ad8bb2c2ca709894a5b27130e947d052a0ccc |
| SHA512 | b38b5e1d2a7eda740c0ea0a70942a0c73b90bbd4ea1c026b43ff7306273f3f72f228a9bbbfa8aa1f10b59b1b008cf44024e7a8ca97ac749b55500b27c7347732 |