Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-pbs64sfb79
Target a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce
SHA256 a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce

Threat Level: Known bad

The file a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DcRat

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 12:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 12:09

Reported

2024-06-03 12:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files (x86)\Uninstall Information\System.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files (x86)\Uninstall Information\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\Windows Journal\de-DE\winlogon.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\Windows Journal\de-DE\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\Common Files\System\es-ES\56085415360792 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wininit.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\56085415360792 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellNew\lsass.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Windows\ShellNew\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\System\es-ES\wininit.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Common Files\System\es-ES\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe

"C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ShellNew\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\es-ES\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\es-ES\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4cea" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4cea" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\de-DE\winlogon.exe'" /rl HIGHEST /f

C:\Program Files\Common Files\System\es-ES\wininit.exe

"C:\Program Files\Common Files\System\es-ES\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b842d4d-a038-43fe-9606-8976be327841.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb5f3cb4-078f-4bbd-ac9e-659653cc2c61.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0981513.xsph.ru udp
RU 141.8.192.126:80 a0981513.xsph.ru tcp
RU 141.8.192.126:80 a0981513.xsph.ru tcp
RU 141.8.192.126:80 a0981513.xsph.ru tcp

Files

memory/2168-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

memory/2168-1-0x0000000000390000-0x00000000004C4000-memory.dmp

memory/2168-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

memory/2168-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

memory/2168-4-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/2168-5-0x0000000000360000-0x000000000036A000-memory.dmp

memory/2168-6-0x0000000000370000-0x000000000037C000-memory.dmp

memory/2168-7-0x0000000000380000-0x000000000038C000-memory.dmp

memory/2168-8-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/2168-9-0x00000000005F0000-0x00000000005FE000-memory.dmp

memory/2168-10-0x00000000006A0000-0x00000000006A8000-memory.dmp

memory/2168-11-0x00000000006B0000-0x00000000006BC000-memory.dmp

C:\Program Files\Common Files\System\es-ES\wininit.exe

MD5 7bc377d9a505c22bddf18251c3a11c4b
SHA1 eaa7eea3812a66a33a2c1b8840b692f8466167c3
SHA256 a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce
SHA512 628fdbb2da90257297523fb8a8c7df0007a6e37cbd97bd9bd31bc3c1b36fa8252b46140c476ac9adb59386fc3f43493ae8ee400c4c071910a46f330c754e5f22

memory/1268-48-0x0000000000ED0000-0x0000000001004000-memory.dmp

memory/2168-49-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3b842d4d-a038-43fe-9606-8976be327841.vbs

MD5 2d20b0dcdb4e111fcbe63a0b91adc740
SHA1 e7dbb2520746eff177055608e63ffe8e37214656
SHA256 4a02ef53ebd942f97cd9fe8828af002b52872d146418948b7c4ce90cfb331c1f
SHA512 2b12e381f2d7172028846750f6f49e61e3bd8181fe46ae95d46fe24b9a8511ab69c83ba0e105d3b1826d0e3a0f271ee6aae8407b1e27833b7c9565697c02e38b

C:\Users\Admin\AppData\Local\Temp\bb5f3cb4-078f-4bbd-ac9e-659653cc2c61.vbs

MD5 8fa13854515268911065b77d40eb8ee2
SHA1 a06f37155bf59557e60b4d7b0b244efeb616b7f9
SHA256 6f376ef8dd896a03ac94484a877538f92788663a17c6f8075bcb4eff5da2870c
SHA512 2df8098e3541640c272e3a876034a1169efa654890845905b71598be1cbd8db4c1f16f03147956915cfdbbae7f03a29c088c25c2981a457463fd3f6ae62461e1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 12:09

Reported

2024-06-03 12:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\Logs\SettingSync\lsass.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Logs\SettingSync\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\explorer.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\7-Zip\Lang\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\7-Zip\Lang\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\SettingSync\lsass.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Windows\Logs\SettingSync\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Windows\PolicyDefinitions\uk-UA\Registry.exe C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
File created C:\Windows\PolicyDefinitions\uk-UA\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\Logs\SettingSync\lsass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Logs\SettingSync\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Logs\SettingSync\lsass.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Logs\SettingSync\lsass.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe

"C:\Users\Admin\AppData\Local\Temp\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\SettingSync\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Logs\SettingSync\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\SettingSync\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\NetHood\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\uk-UA\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4cea" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4cea" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\fr-FR\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ts6NB1lUiF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Logs\SettingSync\lsass.exe

"C:\Windows\Logs\SettingSync\lsass.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\174f07c0-f715-4c6c-9a12-55c36fc60514.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aff87354-daa3-4ec7-98d1-cc8660ee4bc6.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 a0981513.xsph.ru udp
RU 141.8.192.126:80 a0981513.xsph.ru tcp
RU 141.8.192.126:80 a0981513.xsph.ru tcp
US 8.8.8.8:53 126.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 141.8.192.126:80 a0981513.xsph.ru tcp

Files

memory/1020-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

memory/1020-1-0x00000000003A0000-0x00000000004D4000-memory.dmp

memory/1020-2-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/1020-3-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

memory/1020-4-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

memory/1020-5-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

memory/1020-6-0x00000000026A0000-0x00000000026AC000-memory.dmp

memory/1020-7-0x00000000026B0000-0x00000000026BC000-memory.dmp

memory/1020-9-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

memory/1020-8-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

memory/1020-10-0x00000000026C0000-0x00000000026C8000-memory.dmp

memory/1020-11-0x000000001B650000-0x000000001B65C000-memory.dmp

C:\Windows\PolicyDefinitions\uk-UA\Registry.exe

MD5 7bc377d9a505c22bddf18251c3a11c4b
SHA1 eaa7eea3812a66a33a2c1b8840b692f8466167c3
SHA256 a2f042eba266194ccd92301d73fa6314a40c53737f35bda4215c1ea0ab71d4ce
SHA512 628fdbb2da90257297523fb8a8c7df0007a6e37cbd97bd9bd31bc3c1b36fa8252b46140c476ac9adb59386fc3f43493ae8ee400c4c071910a46f330c754e5f22

memory/1020-37-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ts6NB1lUiF.bat

MD5 cb5779f0501213991339f2f591d06245
SHA1 0c62ef552147ad89b83374aef40f2f071f9c1a52
SHA256 7cd83fc9a0826e51ca8d869e345d40ef0f027f4c37f83b2126d818ef09599abf
SHA512 6e0adc9e2ddb15a2406a3ff775564569fe33002afcc3cfd15f31d4e50a73d7237af9d4e6a73ccb74494d8b6f1de8bb4105833353c07fd9d7f47631efe36b5653

C:\Users\Admin\AppData\Local\Temp\174f07c0-f715-4c6c-9a12-55c36fc60514.vbs

MD5 28ae4f1f94a20e33c7de4627519995ef
SHA1 eda894bfe87e7d742db05f04be2503e8e630d7b5
SHA256 e382e06228e7bd1e4c24415457ef131fa5e2fd164b7565e6f553b4612a7d4077
SHA512 4fd8afd55f7f50b212e294bd194d6d664a1e70d7442b7a7b3a929dbf2df8ab05522c232a2491779471585b7d99dee2c446af0ca011fdd1b744d3ab2586b05de7

C:\Users\Admin\AppData\Local\Temp\aff87354-daa3-4ec7-98d1-cc8660ee4bc6.vbs

MD5 9ee668ebaa8affe3d6576bcdddbcf26e
SHA1 06931b3265291a64113509d9e65544a9153a52de
SHA256 fc8ab8d790cc9b4346d84f567d145ee5e19b4f04652b886c350865441b5987c9
SHA512 565e69e87e0bf47bd806aac53320164b7c3a9e937d454beff978f6629d36828625c514953cd6b4f223907f4d9585601d7d0b7da06884b444570a00f599d75758