Malware Analysis Report

2024-11-30 04:37

Sample ID 240613-bhc7ksscll
Target 2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe
SHA256 2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc
Tags
execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc

Threat Level: Known bad

The file 2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe was found to be: Known bad.

Malicious Activity Summary

execution spyware stealer

Process spawned unexpected child process

Detects executables packed with unregistered version of .NET Reactor

Detects executables packed with unregistered version of .NET Reactor

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:08

Signatures

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:08

Reported

2024-06-13 01:10

Platform

win7-20240611-en

Max time kernel

136s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\AppCompat\Programs\lsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Shared Gadgets\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\000093e6871dc0 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\lsm.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Windows\AppCompat\Programs\101b941d020240 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\smss.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\AppCompat\Programs\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppCompat\Programs\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\cmd.exe
PID 2104 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\cmd.exe
PID 2104 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\cmd.exe
PID 836 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 836 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 836 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 836 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 836 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 836 wrote to memory of 2004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 836 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\AppCompat\Programs\lsm.exe
PID 836 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\AppCompat\Programs\lsm.exe
PID 836 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\AppCompat\Programs\lsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe

"C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc2" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc2" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\smss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HtR8vfwywf.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\AppCompat\Programs\lsm.exe

"C:\Windows\AppCompat\Programs\lsm.exe"

Network

Country Destination Domain Proto
RU 5.35.98.20:80 5.35.98.20 tcp
RU 5.35.98.20:80 5.35.98.20 tcp
RU 5.35.98.20:80 5.35.98.20 tcp

Files

memory/2104-0-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

memory/2104-1-0x0000000001310000-0x00000000016BC000-memory.dmp

memory/2104-2-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-3-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-4-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-6-0x0000000000490000-0x00000000004B6000-memory.dmp

memory/2104-7-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-11-0x0000000000600000-0x000000000061C000-memory.dmp

memory/2104-9-0x0000000000470000-0x000000000047E000-memory.dmp

memory/2104-13-0x0000000000480000-0x0000000000490000-memory.dmp

memory/2104-14-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-16-0x0000000000A60000-0x0000000000A78000-memory.dmp

memory/2104-19-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-18-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/2104-21-0x00000000005E0000-0x00000000005F0000-memory.dmp

memory/2104-23-0x00000000005F0000-0x00000000005FE000-memory.dmp

memory/2104-24-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-26-0x0000000000620000-0x000000000062E000-memory.dmp

memory/2104-28-0x0000000000A80000-0x0000000000A8C000-memory.dmp

memory/2104-30-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/2104-32-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/2104-35-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/2104-33-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-37-0x0000000000B70000-0x0000000000B86000-memory.dmp

memory/2104-39-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/2104-40-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-41-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/2104-43-0x0000000000B50000-0x0000000000B5E000-memory.dmp

memory/2104-45-0x0000000000B60000-0x0000000000B70000-memory.dmp

memory/2104-47-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/2104-49-0x0000000001280000-0x00000000012DA000-memory.dmp

memory/2104-51-0x0000000000D50000-0x0000000000D5E000-memory.dmp

memory/2104-53-0x0000000000D60000-0x0000000000D70000-memory.dmp

memory/2104-55-0x0000000000D70000-0x0000000000D7E000-memory.dmp

memory/2104-57-0x0000000001220000-0x0000000001238000-memory.dmp

memory/2104-61-0x000000001AF10000-0x000000001AF5E000-memory.dmp

memory/2104-59-0x0000000000D80000-0x0000000000D8C000-memory.dmp

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Calendars\smss.exe

MD5 1e4e43ca35d4e8ecd2526bb48ed71f8d
SHA1 9320f40971e6d7e5bec8a42004edda8fca45a38a
SHA256 2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc
SHA512 f08d421cc981cfa55eef393b564b189ffcf5acc14f507ccd618bd2466acc375f8d576443c7371edea9a3635f855fb267c4b7a96d050234124fa670fc11d584c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ab47aa5247fabafea020cc42ff8a6411
SHA1 14efcd07b21fc7cb6eabd904cb4aeb94e3af8737
SHA256 8f0a6f4b384f4a0250c21f12b5d421620b1bafab8e29c3b8061c2277d78d25eb
SHA512 2b7fece09df23a46bad69523d42baf4a43df5fb279ff98f03c35f06800a9fa037326de0c2c932a2e497ab011d9971f077893a61d24803cf39eb9ae7445cf8f40

memory/800-97-0x0000000002520000-0x0000000002528000-memory.dmp

memory/2104-98-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp

memory/800-96-0x000000001B270000-0x000000001B552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HtR8vfwywf.bat

MD5 bcd36cd0f25789e076c6822d63093c16
SHA1 d6694a199ecbd73117b39edf23a5d088a815b048
SHA256 2143a30d92fc7d1bb71db994900b6acaac54363fe13c31962cfb6313fbf2fafa
SHA512 2144427cc8b0f902f5407ffb436a161998181a6c01db7ec6440bc0bd608216e6133c816e828054972a90e2dfb5d074cf35b68a16618748743c2883c2c6c37119

memory/1288-106-0x0000000000980000-0x0000000000D2C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:08

Reported

2024-06-13 01:10

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\ShellExperiences\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\22eafd247d37c3 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File opened for modification C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Windows\ShellExperiences\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Windows\bcastdvr\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
File created C:\Windows\bcastdvr\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\ShellExperiences\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3604 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\cmd.exe
PID 3604 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe C:\Windows\System32\cmd.exe
PID 2320 wrote to memory of 1204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2320 wrote to memory of 1204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2320 wrote to memory of 4076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2320 wrote to memory of 4076 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2320 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 2320 wrote to memory of 3140 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 3140 wrote to memory of 428 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 3140 wrote to memory of 428 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 428 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 428 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 428 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 428 wrote to memory of 2548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 428 wrote to memory of 3736 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 428 wrote to memory of 3736 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 3736 wrote to memory of 1660 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 3736 wrote to memory of 1660 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1660 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1660 wrote to memory of 3352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1660 wrote to memory of 3352 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1660 wrote to memory of 3280 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 1660 wrote to memory of 3280 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 3280 wrote to memory of 4268 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 3280 wrote to memory of 4268 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 4268 wrote to memory of 4512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4268 wrote to memory of 4512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4268 wrote to memory of 1872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4268 wrote to memory of 1872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4268 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 4268 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 2744 wrote to memory of 1552 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 1552 N/A C:\Windows\ShellExperiences\RuntimeBroker.exe C:\Windows\System32\cmd.exe
PID 1552 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1552 wrote to memory of 3008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1552 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1552 wrote to memory of 4580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1552 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe
PID 1552 wrote to memory of 668 N/A C:\Windows\System32\cmd.exe C:\Windows\ShellExperiences\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe

"C:\Users\Admin\AppData\Local\Temp\2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellExperiences\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rS2ueqnAp9.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\ShellExperiences\RuntimeBroker.exe

"C:\Windows\ShellExperiences\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wle9X4LEtL.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\ShellExperiences\RuntimeBroker.exe

"C:\Windows\ShellExperiences\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\ShellExperiences\RuntimeBroker.exe

"C:\Windows\ShellExperiences\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tI0tYXMWWV.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellExperiences\RuntimeBroker.exe

"C:\Windows\ShellExperiences\RuntimeBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\ShellExperiences\RuntimeBroker.exe

"C:\Windows\ShellExperiences\RuntimeBroker.exe"

Network

Country Destination Domain Proto
RU 5.35.98.20:80 tcp
RU 5.35.98.20:80 tcp
RU 5.35.98.20:80 tcp
RU 5.35.98.20:80 tcp
RU 5.35.98.20:80 tcp

Files

memory/3604-0-0x0000000000C60000-0x000000000100C000-memory.dmp

memory/3604-1-0x00007FF841A83000-0x00007FF841A85000-memory.dmp

memory/3604-2-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-3-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-4-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-6-0x0000000003240000-0x0000000003266000-memory.dmp

memory/3604-7-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-12-0x000000001CF30000-0x000000001CF4C000-memory.dmp

memory/3604-10-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-9-0x0000000003210000-0x000000000321E000-memory.dmp

memory/3604-13-0x000000001CFA0000-0x000000001CFF0000-memory.dmp

memory/3604-15-0x0000000003220000-0x0000000003230000-memory.dmp

memory/3604-16-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-20-0x0000000003230000-0x0000000003240000-memory.dmp

memory/3604-18-0x000000001CF70000-0x000000001CF88000-memory.dmp

memory/3604-23-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-25-0x000000001CF50000-0x000000001CF5E000-memory.dmp

memory/3604-27-0x000000001CF60000-0x000000001CF6E000-memory.dmp

memory/3604-31-0x000000001D010000-0x000000001D022000-memory.dmp

memory/3604-32-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-34-0x000000001CFF0000-0x000000001CFFC000-memory.dmp

memory/3604-36-0x000000001D000000-0x000000001D010000-memory.dmp

memory/3604-37-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-39-0x000000001D050000-0x000000001D066000-memory.dmp

memory/3604-29-0x000000001CF90000-0x000000001CF9C000-memory.dmp

memory/3604-41-0x000000001D070000-0x000000001D082000-memory.dmp

memory/3604-22-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3604-42-0x000000001D5C0000-0x000000001DAE8000-memory.dmp

memory/3604-45-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-47-0x000000001D040000-0x000000001D050000-memory.dmp

memory/3604-44-0x000000001D030000-0x000000001D03E000-memory.dmp

memory/3604-49-0x000000001D090000-0x000000001D0A0000-memory.dmp

memory/3604-50-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-52-0x000000001D100000-0x000000001D15A000-memory.dmp

memory/3604-53-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-55-0x000000001D0A0000-0x000000001D0AE000-memory.dmp

memory/3604-60-0x000000001D0C0000-0x000000001D0CE000-memory.dmp

memory/3604-62-0x000000001D160000-0x000000001D178000-memory.dmp

memory/3604-64-0x000000001D0D0000-0x000000001D0DC000-memory.dmp

memory/3604-66-0x000000001D1D0000-0x000000001D21E000-memory.dmp

memory/3604-58-0x00007FF841A80000-0x00007FF842541000-memory.dmp

memory/3604-57-0x000000001D0B0000-0x000000001D0C0000-memory.dmp

C:\Program Files (x86)\Windows Multimedia Platform\WmiPrvSE.exe

MD5 1e4e43ca35d4e8ecd2526bb48ed71f8d
SHA1 9320f40971e6d7e5bec8a42004edda8fca45a38a
SHA256 2ae039382032dd68e323e7f9808c25f90ff71f6e68a8f22734eb875965177efc
SHA512 f08d421cc981cfa55eef393b564b189ffcf5acc14f507ccd618bd2466acc375f8d576443c7371edea9a3635f855fb267c4b7a96d050234124fa670fc11d584c3

memory/3904-95-0x000001BB1E760000-0x000001BB1E782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znuc2hvj.bmh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3604-119-0x00007FF841A80000-0x00007FF842541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rS2ueqnAp9.bat

MD5 8b77c5697c329a36902d2a3e2e9383bd
SHA1 fca90d2412789178369e4f8a11a8355d65905931
SHA256 0a3298364e1471cd1af8e1e61f7c1ebde2f13169b809596a84bcf72a9f880987
SHA512 1cb6790e904e23f0855ce8bf329b54230531e99014cdadfe7026a62674c3cceea039f50ca279580442cfa651f2468107aefd8366d045b0a767c7fa8b4a3aef88

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3140-169-0x000000001BF60000-0x000000001BF68000-memory.dmp

memory/3140-176-0x000000001BF60000-0x000000001BF68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wle9X4LEtL.bat

MD5 20a600b563ec69af6617932f8f199771
SHA1 d1a26ecf9aa4661c80a53a41345e20ed47e7b949
SHA256 a6b57044cf13312e01c3f17343ceb2d9916d22f9da27a1a861482d24b098ddcf
SHA512 97835b6f06ce63a73539d05820a309eef2963d8dea84d76266eb5d1978d1ca9697c79fe2483afd2a93e0a95ab233d9c88a0501b77e20226bdd90f770cb0b5446

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 8ee01a9d8d8d1ecf515b687bf5e354ca
SHA1 c3b943dce30e425ae34e6737c7d5c3cdd92f79c5
SHA256 c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1
SHA512 6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

memory/3736-205-0x000000001BD90000-0x000000001BD98000-memory.dmp

memory/3736-211-0x000000001BD90000-0x000000001BD98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat

MD5 c636e85f3714eb0eb94300afdef58819
SHA1 38bea1102137f1942b21b2726b74c7395f9208a5
SHA256 84533a64bb392b55f1fa96af46d94a438258eca9bb78a6aa96cfbc99c56f5786
SHA512 de9e5150412e50124511684bb781b9e7d79fec0d8802b620cccca39243d51e49897f67309197641c6c65e18f1036c301d2e6f6f7fd5bfa29e103d64af9af70d8

memory/3280-239-0x000000001BB30000-0x000000001BB38000-memory.dmp

memory/3280-245-0x000000001BB30000-0x000000001BB38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tI0tYXMWWV.bat

MD5 1bf9be7b2086fd4d4977f6357cc6b7db
SHA1 c3c231257d80d8a3d818957df39caa46a4a12d93
SHA256 599b54585adf2fdb947edcee949b4926267012f1b04bcf2f78287636d34a7eb4
SHA512 9bb11103a8756eeb9fc44c945ba028c61a531bdd18e96f82f421b55637614abc05e691e02879b37dde92ef9dc62604c06dd94372c662cc05b0d33dedb178bc01

memory/2744-273-0x000000001BD80000-0x000000001BD88000-memory.dmp

memory/2744-279-0x000000001BD80000-0x000000001BD88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat

MD5 6ccb1a325a692d615e1cb7c8a79c078b
SHA1 9e443a8e6fdc0a714ef5407d0d1f3fbe0c40b586
SHA256 3b4ea2e0a61e99ca7f327af2a53ce6cf5ce0ea97536baabcd90adfee71bec31d
SHA512 ec7881eb79c59e1e386dc80e702062cf831fb953b4a4c3028cd28b02e17329c5b74560343567d8725ddbdaf04029465c536d4632640cb668d9bcfc51c2ee80d0