Malware Analysis Report

2024-10-10 12:51

Sample ID 240601-2lrr9ahc8x
Target 6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4
SHA256 6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4
Tags
rat dcrat execution infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4

Threat Level: Known bad

The file 6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4 was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

Detects executables packed with SmartAssembly

DCRat payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 22:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 22:40

Reported

2024-06-01 22:43

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
N/A N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3028 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe
PID 3028 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe
PID 3028 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe
PID 2616 wrote to memory of 1392 N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 1392 N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 1392 N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2152 N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2152 N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe C:\Windows\System32\WScript.exe
PID 2616 wrote to memory of 2152 N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 884 N/A C:\Windows\System32\WScript.exe C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe
PID 1392 wrote to memory of 884 N/A C:\Windows\System32\WScript.exe C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe
PID 1392 wrote to memory of 884 N/A C:\Windows\System32\WScript.exe C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe

"C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c46" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c46" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

"C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c004a47-7b11-49a6-a28f-7b6ea1e1daa4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\504d0345-730f-4b4f-9ccb-509da1e202e6.vbs"

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

Network

Country Destination Domain Proto
PL 95.214.53.31:80 tcp
PL 95.214.53.31:80 tcp

Files

memory/3028-0-0x000007FEF5293000-0x000007FEF5294000-memory.dmp

memory/3028-1-0x00000000002A0000-0x0000000000456000-memory.dmp

memory/3028-2-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

memory/3028-3-0x0000000000490000-0x00000000004AC000-memory.dmp

memory/3028-4-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/3028-5-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/3028-6-0x00000000005F0000-0x0000000000606000-memory.dmp

memory/3028-7-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/3028-8-0x0000000000620000-0x0000000000630000-memory.dmp

memory/3028-9-0x0000000000610000-0x000000000061C000-memory.dmp

memory/3028-10-0x00000000020E0000-0x00000000020E8000-memory.dmp

memory/3028-12-0x00000000020F0000-0x00000000020FC000-memory.dmp

memory/3028-13-0x0000000002100000-0x000000000210C000-memory.dmp

memory/3028-16-0x0000000002290000-0x000000000229C000-memory.dmp

memory/3028-15-0x0000000002120000-0x0000000002128000-memory.dmp

memory/3028-14-0x0000000002110000-0x000000000211A000-memory.dmp

memory/3028-17-0x0000000002320000-0x000000000232C000-memory.dmp

memory/3028-20-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

MD5 39f0dd73b6cd3626818cb2f1dc808fff
SHA1 5a75243e011e0b435225548d7d332a5401813c7a
SHA256 6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4
SHA512 c4a72e89c655dbd54fe1f9ace1e5106b589f145a67226f857bb0d118036f244bf040c6043cd95ec89f4097c96789cf85b9954dc5a99df78417f1b349e34ad5f0

C:\Users\Default\lsm.exe

MD5 555a0dc9c748407247bd91b75e5b5ba0
SHA1 c34becae802a317323304395c04dea132ad57d3c
SHA256 4d26d17603040023b5fc62f3896bb7759544d429f5e74029ac031e931d08b0a4
SHA512 eea9d708188e77f5278bd11b7d3d7ab13b2cd083a317105c4617fcf7a8aab3de669cc2f67702da162d355fe1ef1151fdf37e21417b766062f8f86c51f3bafb21

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe

MD5 13abd558c18e5408d60458af13f7f584
SHA1 083a420b03659c9e35226b06b72ba81d962a2d2a
SHA256 1e6eac4ca2d4a2ea96235f32a058abd3ca353a21c87507210880f0edbfa7bf54
SHA512 415429d0b9664df7c4213003b328b769157fd1fea287386bef876dda9864b0724625e1d4781cee3f2be4812816a032123da579439b5e00a9c0523f1604c58681

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N3BBF77LZP143C7GQU1R.temp

MD5 a850f1219be800386e74eaee8ce4f5a5
SHA1 753a820acb29ae7e86ac4f1e7f3c75f128a0de2b
SHA256 dfcb1a493c61d78e648706819cfafb3ff9d48d207533e4a3022bae1eb6807d61
SHA512 002334a203cf8fb7850a5c24dd05ccb734a8636fe62d39e0917dc2de1c01ed5f7933a8038b69140e67ebf985ad781cad90b494b0f2215ee3eec5a33b325da9ca

memory/2856-173-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/2616-176-0x0000000001290000-0x0000000001446000-memory.dmp

memory/2856-168-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/3028-181-0x000007FEF5290000-0x000007FEF5C7C000-memory.dmp

memory/2616-188-0x0000000000C00000-0x0000000000C12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1c004a47-7b11-49a6-a28f-7b6ea1e1daa4.vbs

MD5 912d5c9e5a5b2e5caa52c694515b9445
SHA1 8d36706bdae514980b5a8bf82aea5b90d75f1b4f
SHA256 b123c3f8f577cfb9f69dbb7ef0d37d9930dd727372209dc51754b403bdf960ca
SHA512 8b6e853826e5cc911d5747a5d59aad01db3a7c129fca2ee1ce603a213720ae741bb4657cd4ec17e1abc054fab71f3c6ab1c4aeb4a160bfc758d2cbbb94ca1ed4

C:\Users\Admin\AppData\Local\Temp\504d0345-730f-4b4f-9ccb-509da1e202e6.vbs

MD5 4795108d72831df23844471b60f088ff
SHA1 88717dc84bee8795df1d9dd0d719210f18b41e70
SHA256 be29aedba6eec0b7d949d00282c448b13bac0ca750ec4d2747284307861bb37b
SHA512 ca88f2c18b312998261ca09c94accc047f21fa5564a5a9787635f7d28bc9313b702121e6ca3354136ab8fed1e9dd16e12dbae40374e723b9d4e0cf41b5f5d001

memory/884-228-0x0000000000A50000-0x0000000000A62000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 22:40

Reported

2024-06-01 22:43

Platform

win10v2004-20240508-en

Max time kernel

135s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Office16\Registry.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office16\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\RCX4A79.tmp C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCX4CBC.tmp C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\RCX4CBD.tmp C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\f72b6a0b914b27 C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File created C:\Program Files\Microsoft Office\Office16\Registry.exe C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\RCX4A78.tmp C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\Registry.exe C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Office16\Registry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\cmd.exe
PID 2948 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe C:\Windows\System32\cmd.exe
PID 3300 wrote to memory of 3172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3300 wrote to memory of 3172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3300 wrote to memory of 4144 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Office16\Registry.exe
PID 3300 wrote to memory of 4144 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Office16\Registry.exe
PID 4144 wrote to memory of 3576 N/A C:\Program Files\Microsoft Office\Office16\Registry.exe C:\Windows\System32\WScript.exe
PID 4144 wrote to memory of 3576 N/A C:\Program Files\Microsoft Office\Office16\Registry.exe C:\Windows\System32\WScript.exe
PID 4144 wrote to memory of 2556 N/A C:\Program Files\Microsoft Office\Office16\Registry.exe C:\Windows\System32\WScript.exe
PID 4144 wrote to memory of 2556 N/A C:\Program Files\Microsoft Office\Office16\Registry.exe C:\Windows\System32\WScript.exe
PID 3576 wrote to memory of 4172 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\Registry.exe
PID 3576 wrote to memory of 4172 N/A C:\Windows\System32\WScript.exe C:\Program Files\Microsoft Office\Office16\Registry.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe

"C:\Users\Admin\AppData\Local\Temp\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c46" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\http\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c46" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\http\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOqXiy1HZC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office\Office16\Registry.exe

"C:\Program Files\Microsoft Office\Office16\Registry.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a4df294-bfcb-4a0a-b358-ffde13e5f6a4.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2298898f-9d76-4325-84f3-b120f0cc6a1b.vbs"

C:\Program Files\Microsoft Office\Office16\Registry.exe

"C:\Program Files\Microsoft Office\Office16\Registry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
PL 95.214.53.31:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
PL 95.214.53.31:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2948-0-0x00007FFE57C23000-0x00007FFE57C25000-memory.dmp

memory/2948-1-0x00000000005D0000-0x0000000000786000-memory.dmp

memory/2948-2-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

memory/2948-3-0x0000000002850000-0x000000000286C000-memory.dmp

memory/2948-6-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/2948-4-0x000000001BA70000-0x000000001BAC0000-memory.dmp

memory/2948-5-0x0000000002880000-0x0000000002888000-memory.dmp

memory/2948-7-0x000000001B3A0000-0x000000001B3B6000-memory.dmp

memory/2948-8-0x00000000028B0000-0x00000000028C2000-memory.dmp

memory/2948-9-0x000000001BA30000-0x000000001BA40000-memory.dmp

memory/2948-10-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

memory/2948-11-0x000000001BA20000-0x000000001BA28000-memory.dmp

memory/2948-13-0x000000001BA40000-0x000000001BA4C000-memory.dmp

memory/2948-14-0x000000001BA50000-0x000000001BA5C000-memory.dmp

memory/2948-17-0x000000001BDD0000-0x000000001BDDC000-memory.dmp

memory/2948-18-0x000000001BE20000-0x000000001BE2C000-memory.dmp

memory/2948-16-0x000000001BDC0000-0x000000001BDC8000-memory.dmp

memory/2948-15-0x000000001BA60000-0x000000001BA6A000-memory.dmp

memory/2948-21-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

memory/2948-22-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

C:\Program Files\VideoLAN\VLC\lua\http\6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4.exe

MD5 39f0dd73b6cd3626818cb2f1dc808fff
SHA1 5a75243e011e0b435225548d7d332a5401813c7a
SHA256 6c54dc7f97375dfa134a7a542dcb18616ddb18d81f1c5f324b7b04291770d0c4
SHA512 c4a72e89c655dbd54fe1f9ace1e5106b589f145a67226f857bb0d118036f244bf040c6043cd95ec89f4097c96789cf85b9954dc5a99df78417f1b349e34ad5f0

memory/2948-59-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

memory/2140-68-0x0000024CCC850000-0x0000024CCC872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvyfdm3p.l2l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\EOqXiy1HZC.bat

MD5 46bf4e540ff68f1f3605454cf1f4ae41
SHA1 89b6e0cf88e17cb0454adc15f6e908bed2c39d54
SHA256 7c9e9e9710e2ee9c7f4e8dd25f58423fa9d5f418c12810a69374805b4cc1bd5c
SHA512 5d29f591bce5b62b16b4961529baf673eb38c7e704a88dbe91b6c1b95a068b97c3c1f3f37d113b5e7717d3e58d90f42fea0287c041bc7cdebc42c49baca7709c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/4144-187-0x000000001AED0000-0x000000001AEE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5a4df294-bfcb-4a0a-b358-ffde13e5f6a4.vbs

MD5 743bd8ac8b74d8dd19c8da4da58fa804
SHA1 42ebc76f799d2f5c62b9e4ec6d03db892b856f2c
SHA256 7a551ea4eda2014ab06baa6c9d3940094eecd2e12a17657116651b6911ae627b
SHA512 9806ba7b9a7cacdb08698eae4f400051aca1110fc7e225349bbc83a5a9f1face3fd0a349e4b89c3b97bc6aed5c13128ccb9da2f4b92ba446a689f7de42ed19da

C:\Users\Admin\AppData\Local\Temp\2298898f-9d76-4325-84f3-b120f0cc6a1b.vbs

MD5 fff7656fc9d7141fe56bb27f406aed26
SHA1 04999c28e87c2e229617c40ca85a090ba19e8c0d
SHA256 c4621b34a3d10354bdb438c44ef23bfc295c4717c7d7e38f19368aa72f91394e
SHA512 35a496284fba4c134ec2101ecb0eca17e779e72660906b95d2d48be3555ca8f2e7096ab92b26b6e6dbd834e4459fc7cbb1899967f78ddc981059fa432c9a67bd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

MD5 3ad9a5252966a3ab5b1b3222424717be
SHA1 5397522c86c74ddbfb2585b9613c794f4b4c3410
SHA256 27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512 b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

memory/4172-200-0x000000001BE20000-0x000000001BE32000-memory.dmp